make the used random source configurable

The most critical part of a password-generator is the source of randomness. The ComputerPasswordGenerator however uses mt_rand which "should not be used for cryptographic purposes" (PHP manual).

Please consider to use a service for the randomness provider and make this service configurable. I'm afraid however that this would break backwards compatibility.

[hackzilla]

This is a good point. I was hoping mt_rand was good enough as the attacker would have to know which server was generating the passwords.

That said it'll be easier enough to inject a class to handle randomness, and fallback to mt_rand. Then that wouldn't break backwards compatibility.

[hackzilla]

I've added a "caution" to the project readme, and allow a source of randomness into the library.

In PHP7 they are saying random_int can be used, which I have included in the project, however until then, I'll have to leave the default as mt_rand.