Simple way to generate a random password in PHP

When creating web apps, there’s often a need to generate a random password for your users. There are a number of ways to do this, but in needing to do it recently I came up with this very simple function that will generate a password (or other random string) of whatever length you wish. It’s particularly useful when generating passwords for users that they will then change in the future. It uses PHP’s handy str_shuffle() function:

View this gist on GitHub

The only shortcoming of this method will come in when you want to generate a password that is longer than $chars, but this is rather unlikely I would think. Also, the fact that it will only ever use each character a maximum of one time means that it is more susceptible to a brute force attack (whether that’s a problem or not depends on how paranoid you are…).

17 responses to “Simple way to generate a random password in PHP”

Faisal

September 7, 2013 at 3:26 pm

Thanks. Gonna check it.

Reply
Arujei

September 14, 2013 at 5:09 pm

Replace:
$password = substr( str_shuffle( $chars ), 0, $length );
with:
for ($i = 0; $i < $length; $i++) {
$password .= $chars{mt_rand(0, strlen($chars) – 1)};
}
now you've made it quite random.

Reply
1. Tommy
  
  October 14, 2014 at 9:55 am
  
  Should be:
  for ($i = 0; $i < $length; $i++) {
  $password .= $chars[mt_rand(0, strlen($chars) – 1)];
  }
  
  Reply
kundan

September 24, 2013 at 12:48 am

Nice……!

Reply
shamli

March 14, 2014 at 2:53 pm

thanks

Reply
Omar

March 15, 2014 at 8:11 am

Thank you ^____^

Reply
Ricardo

August 21, 2014 at 7:22 pm

If you want to have a password with repeating chars:

$password = substr ( str_shuffle ( str_repeat ( $chars ,$length ) ), 0, $length );

Reply
Gunther Fruhtrunk

October 24, 2014 at 10:45 pm

I believe this algorithm is highly insecure as str_shuffle uses a very predictable randomness and was not made to be used for nearly cryptographic uses.

Reply
periyasamy

January 30, 2015 at 8:49 pm

Reply
sgzonlinepage

September 25, 2015 at 12:48 pm

nice one

Reply
Ronald

October 4, 2015 at 11:53 am

Please do NOT use this example to generate “secure” passwords as the str_shuffle function is based on the insecure, e.g. predictable, rand() or mt_rand() function.

Please refer to the random_str() function available in php7 or the php5-compatibility functions found here: https://github.com/paragonie/random_compat

Reply
1. Hugh
  
  October 4, 2015 at 12:49 pm
  
  Thanks Ronald – this is clearly an old post written long before PHP 7 was even thought of, so thanks for the update there 🙂
  
  Reply
adi ch

January 7, 2016 at 12:02 pm

what is the password any one tell ??

Reply
Muhammad

March 18, 2017 at 8:58 am

$char =”abcdefghijklmnop1234567890″;
echo str_shuffle($char);

Reply
David

February 8, 2018 at 12:53 pm

Hi,
I’ve added a bit more “randomness”, respectively have added some stuff to make up for the lack of randomness in PHP 5 (still commonly used). In short:

– created random seed
– create random offset in substr
– add loop while certain password complexity conditions aren’t met

function random_password( $length = 8 ) {
$chars = “abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()_-=+;:,.?”;
$password = ”;
while(preg_match(‘/[a-z]/’,$password) == 0 && preg_match(‘/[A-Z]/’,$password) == 0 && preg_match(‘/[0-9]/’,$password) == 0 && preg_match(‘/[\!\@\#\$\%\^\&\*\_\-\=\+\;\:\,\.\?]/’,$password) == 0) {
srand();
$password = substr( str_shuffle( $chars ), mt_rand(0,strlen($chars)-1), $length );
}
return $password;
}

Reply
Montaz Ali Ahmed

February 25, 2018 at 1:15 pm

I have forget my rendoom code

Reply
Abror Tadjibayev

May 22, 2018 at 8:40 am

Thank you!

Reply