0

I am trying to do what the title says and this is all that I can figure out how to do in php.

<?php 
    $random = substr(md5(mt_rand()), 0, 8
    echo $random;
?>
wrist
  • 21
  • 1
  • 4
  • 6
    Does this answer your question? [Generating a random password in php](https://stackoverflow.com/questions/6101956/generating-a-random-password-in-php) – catcon Nov 26 '20 at 23:15
  • You could have a mandatory alphabet. Not seeing any code attempt here tho – GetSet Nov 26 '20 at 23:27

2 Answers2

7

I created this basic code:

$digits    = array_flip(range('0', '9'));
$lowercase = array_flip(range('a', 'z'));
$uppercase = array_flip(range('A', 'Z')); 
$special   = array_flip(str_split('!@#$%^&*()_+=-}{[}]\|;:<>?/'));
$combined  = array_merge($digits, $lowercase, $uppercase, $special);

$password  = str_shuffle(array_rand($digits) .
                         array_rand($lowercase) .
                         array_rand($uppercase) . 
                         array_rand($special) . 
                         implode(array_rand($combined, rand(4, 8))));

echo $password;

First I create arrays, of which the keys are what the variable names describes. This might seems somewhat strange, but this is done because array_rand() returns random keys, not random values.

By explicitly defining the different types of characters you could remove some nasty ones. For instance, it can be hard to distinguish between I, 1, | and l or O and 0, depending on your font. You might want to remove those. You are also able to define your own set of special characters.

I then guarantee that at least one capital letter, one lowercase letter, one special character and one number is present by explicitly declaring so.

Finally I add a part of random characters of random length and shuffle the whole string.

A note: Choosing passwords for users can be a good idea. Users often find it hard to choose a good password. However, you're going for very difficult to remember, and difficult to enter, passwords. Is that really necessary? For instance, if you ask for an email address in combination with a password, then a 5 digit PIN number would already give 99999 possible passwords. That's a lot. If you only allow an user to try to enter a password wrong 5 times, before the login form gets blocked, then a hacker has only a 0.006% chance of a successful hack by brute force. Those are not good odds. A five digit password is much easier to work with for an user. The strength of the password should be proportional to that what it protects and other risk factors. You might be using passwords with a 0.00000000001% chance of a successful hack, but if the chance that an user gives the password "willingly" to a hacker, for instance through social hacking, is 0.0001% then there's little point to such a secure password.

KIKO Software
  • 15,283
  • 3
  • 18
  • 33
  • Thank you for this, this fits my need perfectly! I'm programmatically creating a user in auth0 then sending a password reset email to the user. So this helps generate my throwaway password that meets the auth0 standards. – LLai Oct 12 '22 at 17:08
3
public function randomPasswordGenerator()
{

    $password = '';
    $passwordSets = ['1234567890', '%^&@*#(){}', 'ABCDEFGHJKLMNPQRSTUVWXYZ', 'abcdefghjkmnpqrstuvwxyz'];

    //Get random character from the array
    foreach ($passwordSets as $passwordSet) {
        $password .= $passwordSet[array_rand(str_split($passwordSet))];
    }

    // 6 is the length of password we want
    while (strlen($password) < 6) {
        $randomSet = $passwordSets[array_rand($passwordSets)];
        $password .= $randomSet[array_rand(str_split($randomSet))];
    }
    echo $password;
}
Kenneth Marn
  • 51
  • 1