Generate secure random password in PHP

Question

I've made a php function which generate random password. But, sometimes, password length is different that I want (I fixed it to 10) and I don't understand why ? I wish password don't start by special char if it possible. Can you help me please ?

<?php
    function get_random_password() {
        $digits = range('0', '9');
        $lowercase = range('a', 'z');
        $uppercase = range('A', 'Z'); 
        $special = str_split('!@#$%^&*+=-_?.,:;<>(){}[]/|~`\'"');
        shuffle($digits);
        shuffle($special);
        shuffle($lowercase);
        shuffle($uppercase);
        $array_special = array_rand($special);
        $array_digits = array_rand($digits, 3);
        $array_lowercase = array_rand($lowercase, 3);
        $array_uppercase = array_rand($uppercase, 3);
        $password = str_shuffle(
            $special[$array_special].
            $digits[$array_digits[0]].
            $digits[$array_digits[1]].
            $digits[$array_digits[2]].
            $lowercase[$array_lowercase[0]].
            $lowercase[$array_lowercase[1]].
            $lowercase[$array_lowercase[2]].
            $uppercase[$array_uppercase[0]].
            $uppercase[$array_uppercase[1]].
            $uppercase[$array_uppercase[2]]
        );
        if (strlen($password) > 10) {
            $password = substr($password, 0, 10);
        }
        return $password;
    }
    for ($i=0;$i<=30;$i++) {
        echo get_random_password()."<br>";
    }
?>

Does this answer your question? [Generating (pseudo)random alpha-numeric strings](https://stackoverflow.com/questions/48124/generating-pseudorandom-alpha-numeric-strings) — Peter O., Mar 21 '21 at 08:15
Also, you should use `random_bytes` or `random_int`, rather than `array_rand`, to generate passwords or other "secure" random values. See: https://stackoverflow.com/questions/4570980/generating-a-random-code-in-php/64472183#64472183 — Peter O., Mar 21 '21 at 08:16
If your password contains a `<` it may confuse the tags in the browser. View the source in your browser to check. — Nigel Ren, Mar 21 '21 at 08:17
Apart from the problem Nigel Ren saw, when I actually run your code all passwords are always 10 characters long. Always. My best guess is that you're not running the code you thing you are running. — KIKO Software, Mar 21 '21 at 08:23

score 2 · Answer 1 · answered Mar 21 '21 at 08:44

I ran your code several times. It always returns passwords which are 10 chars long.

I see the following problems:

you are printing it out in html, so chars like < and > can break your html code
also line breaks could be a problem

To solve this:

Do not print it out in browser, better test your function in a console.
If you want to print it out in html, then you have to use the htmlentities() (PHP documentation) function to display it correctly in the browser. Do not store the passwords with htmlentities() as this would replace the special characters in your passwords with the html entities.

Generate secure random password in PHP

1 Answers1