The code works but out of the box it generates a weaker password than it does currently. Is that really what we want?

Hi Brian,
Is it weaker due of its length or the way I created it ?

Hi Brian, Is it weaker due of its length or the way I created it ?

Nothing to do with your code per se.

Before this PR Out of the box we get a 32 character password generated
With this PR Out of the box we get a 12 character password generated

It's a user choice.

I have length = 12 in my configuration for testing purpose, to make sure it respects what I've defined.

My 2c - any password created in this way is sent in a simple email so if I was to make a change to this I would enforce the password reset functionality on login for all passwords created this way

The minimum length parameter means that if a User wants to change his/her password, that User has to respect this minimum length.

As such, creating by default a 32 character password is not contradictory with this minimum length : 32 respects ">12".

But indeed, I understand @conseilgouz (and the people in the community who first reported this issue on some Joomla forum): if a User is allowed to use a 12 character password, it would be consistent that the default password also has 12 characters (otherwise the real end-users of a website will never understand that they get a password which is almost three times as long as "is required").

You and I do use a password manager anyway and we don't care about 12, 32 or even 497 characters.
But in real life, this PR by @conseilgouz makes sense.

rand() is not cryptographically secure. I don't think it should be used in password generation.
see manual: https://www.php.net/manual/en/function.rand.php

I agree with Brian, it is better to generate a 32 character password by default... ( in today's processing power, 12 character passwords are not secure enough anyways.... ) and if a user receives a 32 character password, he would more likely think, it's good that Joomla generates a long, strong password. As for AkameOuO's comment, it would be good to switch to the recommended Random\Randomizer may be used with the Random\Engine\Secure engine.

thank you for your comments.
I replaced rand() function by a new function genRandomChar, based on genRandomPassword function.
As stated by Brian, if empty, the created password is sent to the new user by email.
The purpose of this PR is to make sure the new password fulfills site owner's requirements in terms of minimum size, uppercase, lowercase, number and symbol, as it will be shown to new users.

For the reasons previously stated I do not agree with this PR

@conseilgouz - while part of this PR may not be good - how about a PR for just upgrading the seeding process to use something better than rand() function by a new function genRandomChar, based on genRandomPassword function like you proposed?

That would be positive for everyone right?

To make everybody happy, I propose a new Parameter length of default password (or call it whatever is best)
It can be 32 by default, but at least people can decide to make it coherent with, for example, the minimum length