From ace5624508b80828b3ced337fed15553cd70836e Mon Sep 17 00:00:00 2001
From: David Goodwin <david@codepoets.co.uk>
Date: Sun, 1 Jun 2025 15:42:09 +0100
Subject: [PATCH] change generate_password() to allow for repeated characaters,
 which probably provides more entropy.

---
 functions.inc.php | 15 +++++----------
 1 file changed, 5 insertions(+), 10 deletions(-)

diff --git a/functions.inc.php b/functions.inc.php
index fa2f73ea..99aff1bc 100644
--- a/functions.inc.php
+++ b/functions.inc.php
@@ -882,24 +882,19 @@ function encode_header($string, $default_charset = "utf-8")
  * Generate a random password of $length characters.
  * @param int $length (optional, default: 12)
  * @return string
- *
  */
-function generate_password($length = 12)
+function generate_password(int $length = 12): string
 {
-
     // define possible characters
     $possible = "2345678923456789abcdefghijkmnpqrstuvwxyzABCDEFGHIJKLMNPQRSTUVWXYZ"; # skip 0 and 1 to avoid confusion with O and l
 
     // add random characters to $password until $length is reached
     $password = "";
-    while (strlen($password) < $length) {
-        $random = random_int(0, strlen($possible) - 1);
-        $char = substr($possible, $random, 1);
 
-        // we don't want this character if it's already in the password
-        if (!strstr($password, $char)) {
-            $password .= $char;
-        }
+    // note this allows for repeated characters (better entropy)
+    for ($i = 0; $i < $length; $i++) {
+        $random = random_int(0, strlen($possible) - 1);
+        $password .= substr($possible, $random, 1);
     }
 
     return $password;