Improve likelihood that genpass_password will include all character classes in the password

Here is the patch. Please review.

+++ b/genpass.module
@@ -13,7 +13,7 @@ define('GENPASS_DISPLAY_BOTH', 3);
+  return 'abcdefghjkmnpqrstuvwxyz"ABCDEFGHJKLMNPQRSTUVWXYZ"23456789"!#$%&()*+,-./:;<=>?@[]^_{|}~';

This will generate passwords that are more likely to have '"' than other characters.

+++ b/genpass.module
@@ -35,21 +35,27 @@ function genpass_generate() {
+ $each_type_allowable_character = explode('"', $allowable_characters);

This may not work if $allowable_characters came from the 'genpass_entropy' variable instead of _GENPASS_REQUIRED_entropy().

+++ b/genpass.module
@@ -35,21 +35,27 @@ function genpass_generate() {
+ if(count($each_type_allowable_character) == 4) {

What if you want a password to have 3 different types of characters?

This also ensures that one character of each type is at the beginning of the string. In an 8 character password, it'd be really easy to guess the first half of the password.

Adding to the conversation by noting that we are still having this issue where our policy is to have at least one digit in the pw, but the password is often generated without a digit thus throwing an error. Was there ever any solution for this, or approved patch committed?

This seems like a solid improvement to the module for sites that have a password policy.

The issue #1811780: Update genpass_password to include best elements of Drupal 7 user_password could affect this work (or be included here).

There's a new 7.x-2.x branch of genpass at https://www.drupal.org/project/genpass/releases/7.x-2.x-dev which is a bit different strategy. I hope people will try it out on a dev or test site and provide feedback in #2975168: Genpass 7.x-2.x.

One major change in the 7.x-2.x branch is that it does a better job of generating strong passwords that always have 1 upper case letter, 1 lower case letter, 1 number, 1 "special" character, and a larger number of total characters. If there are any bugs in that version, please file issues for it :) Perhaps if it works well we could deprecate 7.x-1.x and encourage people to ugprade?

Doesn't changing password generation in this way actually make passwords weaker by reducing the number of possible passwords that can be generated?

@solideogloria - I can see how the title of this issue might make you think that, but the code implementation looks to me like it will result in more entropy in the password (more characters to choose from) in addition to reducing entropy due to reducing the possible combinations/permutations by forcing the presence of

There are 2 very important problems to solve before a patch with this goal gets committed.

1.It doesn't increase the length of the generated password nearly enough. It should be 12 or more characters as well which more than offsets any reduction in entropy from requiring character types.

2. It uses mt_rand which was removed in this security issue.

Used the method from 2.0.x branch to always generate password with at least one character from each set.

Added genpass.api.php too; the existing hook_password was not present, and this added hook_genpass_character_sets_alter.