PHP: Generate a secure random password.

This is a tutorial on how to generate a secure random password using PHP. To do this, we will use PHP’s random_int function.

Let’s jump right in and take a look at the following function:

The custom PHP function above will generate a random string and return it. All you have to do is specify the length of the string by passing in the $length parameter.

This kind of function is especially useful for creating a one-time passwords (OTP) or resets. You can also use it to suggest a new secure password to a user.

Inside of our function:

  • We created a string of all the characters that our function can use while generating the password. This is our “keyspace”. By default, I have set this to 0-9, a-z, A-Z and a few special characters at the end. However, you can modify this list to suit your own needs by adding or removing characters from the string.
  • Using the mb_strlen function, we calculated the index of the last character in the string.  We subtracted one from the size because indexes always start at 0.
  • We then created a foreach loop. The number of iterations that this loop does will match the number that was specified in the $length parameter.
  • Inside this loop, we select a random character from our “keyspace” string by using the PHP function random_int. Note that this works because characters in a PHP string can be accessed via their index / position, much like you would access and array element.
  • Finally, we return our randomly-generated password.

Why did you use random_int instead of rand or mt_rand?

One of the reasons that I wrote this tutorial is because I came across a number of similar guides that recommended the use of functions such as rand or mt_rand. This made me wince, as they are essentially polluting “the PHP sphere” with insecure code when there are secure and easy-to-use alternatives out there.

You see, the problem with rand and mt_rand is that they are not cryptographically secure. This means that they should never ever be used for anything relating to passwords or security tokens.

In fact, if you look at the PHP manual page for mt_rand, you will see that developers are explicitly warned not to use the function for cryptographic purposes.

As a developer, you should always strive to follow best practices, especially when it comes to the security of your applications.

Fatal error: Call to undefined function random_int.

If you experience this fatal error while using the code above, it is because you are running an older PHP version. The random_int function wasn’t introduced as a core function until PHP 7.

However, if you are using PHP version 5.2 or above, then you can download the random_compat library from Github and include it in your project.

How do I use this function?

Below are a few examples of how to use the random_password function:

Above, we generated three random passwords of various lengths. If you run the snippet above and refresh it a few times, you will see that an entirely different set of random passwords is generated each time.

Facebook Comments