PHP Create Strong Random Passwords

PHP Best Practices

PHP function to create a strong random password for applying to new user accounts or for resetting password. Allows for applying a mask for password rules.

Date : 2006-04-08
Site security is a high priority for any developer. With the number of attacks that sites are getting it is vital that we secure them to the best of our and our technologies ability. One of the main issues with security is user passwords. If our users pick overly simple passwords then there data and ours can be at risk. Having password rules is one way of ensuring that our users will select strong passwords. We can require a specific length and combination of characters and numbers including capitalization requirements.

While it’s sometimes difficult to explain these requirements to a user and get them to enter something that fits the criteria it can also be troublesome to create these passwords programmatically. To that end I propose this PHP function to create a password based on very specific rules. The “Mask” that you use to define the password rules is fairly simple with only 5 entities to know. See the comments in the code to understand the rules.

By creating a password with these options you can verify that all auto-generated passwords will match a certain criteria. Here is the PHP code necessary to create this kind of password:

An addition that you may want to make is the ability to have a variable length password. For instance a password could be between 6 and 15 characters you would have to decide how to make the function handle this. It could either have a 15 character mask and cut short at whatever length you decided on, or perhaps you could use a 6 character mask and have it start the pattern over for longer passwords. Usually autogenerated passwords are of a fixed length though so It's not a necessary feature.

// Mask Rules
// # - digit
// C - Caps Character (A-Z)
// c - Small Character (a-z)
// X - Mixed Case Character (a-zA-Z)
// ! - Custom Extended Characters
function create_password($mask) {
  $extended_chars = "!@#$%^&*()";
  $length = strlen($mask);
  $pwd = '';
  for ($c=0;$c<$length;$c++) {
    $ch = $mask[$c];
    switch ($ch) {
      case '#':
        $p_char = rand(0,9);
      case 'C':
        $p_char = chr(rand(65,90));
      case 'c':
        $p_char = chr(rand(97,122));
      case 'X':
        do {
          $p_char = rand(65,122);
        } while ($p_char > 90 && $p_char < 97);
        $p_char = chr($p_char);
      case '!':
        $p_char = $extended_chars[rand(0,strlen($extended_chars)-1)];
    $pwd .= $p_char;
  return $pwd;

Your newly generated password will match the criteria and length of the password mask. Your $extended_chars list is up to you and allows you to add in any characters you want while avoiding characters that could cause trouble such as quote characters.

It is very important to have good security practices and the example you set with your auto-generated passwords and the validation rules you apply to your users custom passwords can have a huge affect on your site and your server's overall security. If you keep any kind of sensitive information on your server, even just a list of customers emails you should be dedicated to keeping that information secure.

Comments :

No comments yet
  • Search For Articles