PHP: Generate a secure random password.

In this tutorial, we are going to show you how to generate a secure random password using PHP.

To do this, we will be using the random_int function, which is cryptographically secure.

Take a look at the following function:

 * A PHP function that will generate a secure random password.
 * @param int $length The length that you want your random password to be.
 * @return string The random password.
function random_password($length){
    //A list of characters that can be used in our
    //random password.
    $characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!-.[]?*()';
    //Create a blank string.
    $password = '';
    //Get the index of the last character in our $characters string.
    $characterListLength = mb_strlen($characters, '8bit') - 1;
    //Loop from 1 to the $length that was specified.
    foreach(range(1, $length) as $i){
        $password .= $characters[random_int(0, $characterListLength)];
    return $password;

The custom PHP function above will generate a random string and then return it.

All you have to do is specify the length of the string by passing in the $length parameter.

This kind of function is especially useful for creating one-time passwords (OTP) and other important tokens. You can also use it to suggest a new secure password to the user.

Inside of our function:

  1. We created a string of all the characters that our function can use while generating the password. This is our “keyspace”. By default, we have set this to 0-9, a-z, A-Z and a few special characters at the end. However, you can modify this list to suit your own needs by adding or removing characters from the string.
  2. Using the mb_strlen function, we calculated the index of the last character in the string. We then subtracted one from the size because indexes always start at 0.
  3. After that, we created a foreach loop. The number of iterations that this loop does will match the number that was specified in the $length parameter.
  4. Inside this loop, we select a random character from our “keyspace” string by using the PHP function random_int. Note that this works because characters in a PHP string can be accessed via their index, much like you would access an array element.
  5. Finally, we return our randomly generated password.

Why did you use random_int instead of rand or mt_rand?

One of the reasons that we wrote this tutorial is because we came across a number of similar guides that recommended the use of functions such as rand or mt_rand.

This made us wince, as they are essentially polluting “the PHP sphere” with insecure code when there are more secure and easy-to-use alternatives out there.

The problem with rand and mt_rand is that they are not cryptographically secure.

This means that they should never ever be used for anything relating to passwords or security tokens.

In fact, if you look at the PHP manual page for mt_rand, you will see that developers are explicitly warned not to use the function for cryptographic purposes.

As a developer, you should always strive to follow best practices, especially when it comes to the security of your applications.

Fatal error: Call to undefined function random_int.

If you experience this fatal error while using the code above, then it means that you are running an older version of PHP.

The random_int function wasn’t introduced as a core function until PHP 7.

However, if you are using PHP version 5.2 or above, then you can download the random_compat library from Github and include it in your project.

How do I use this function?

Below, you will find a few examples of how to use the random_password function:

//A random six character password.
$sixChar = random_password(6);
var_dump($sixChar); //Example: lx2q(P

//A random eight character password.
$eightChar = random_password(8);
var_dump($eightChar); //Example: jd*q!eeM

//Twelve characters
$twelveChar = random_password(12);
var_dump($twelveChar); //Example: zR*-1XMBjE-D

Above, we generated three random passwords of various lengths.

If you run the code and refresh it a few times, you will see that an entirely different set of random passwords are generated each time.