Generating secure passwords in PHP

generatePassword.php

<?php
// usage: $newpassword = generatePassword(12); // for a 12-char password, upper/lower/numbers.
// functions that use rand() or mt_rand() are not secure according to the PHP manual.

function getRandomBytes($nbBytes = 32)
{
    $bytes = openssl_random_pseudo_bytes($nbBytes, $strong);
    if (false !== $bytes && true === $strong) {
        return $bytes;
    }
    else {
        throw new \Exception("Unable to generate secure token from OpenSSL.");
    }
}

function generatePassword($length){
    return substr(preg_replace("/[^a-zA-Z0-9]/", "", base64_encode(getRandomBytes($length+1))),0,$length);
}

Close your php tag 😃

no need to close tags actually :) From PHP Manual:
The closing tag of a PHP block at the end of a file is optional, and in some cases omitting it is helpful when using include() or require(), so unwanted whitespace will not occur at the end of files, and you will still be able to add headers to the response later. It is also handy if you use output buffering, and would not like to see added unwanted whitespace at the end of the parts generated by the included files.

In fact @Cahl-Dee, closing tags in non-effect files (view code), is a really _Terrible_ practice, because it can cause effects

Be careful of the length!
String from base64_encode may contain + and / characters. If you simply remove them by preg_replace, there is chance the string length is shorter than $length

The variable $strong in line 7 is not defined anywhere. Otherwise: Thank you very much for this!

Actually $strong is a passed-by-reference argument that is defined as a result of the function. Openssl uses it to tell you if the bytes are sufficiently random or not. https://www.php.net/manual/en/function.openssl-random-pseudo-bytes

…

On Tue, Feb 18, 2020, 7:35 AM Kevin Pliester ***@***.***> wrote: The variable $strong in line 7 is not defined anywhere. Otherwise: Thank you very much for this! — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <https://gist.github.com/7217f566fc83a9633959?email_source=notifications&email_token=AAAL2MU5KIO2SILF3WXYHOLRDP54RA5CNFSM4KXG5V52YY3PNVWWK3TUL52HS4DFVNDWS43UINXW23LFNZ2KUY3PNVWWK3TUL5UWJTQAGCE3I#gistcomment-3180980>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAL2MT3R2D3WDXCAMSCO2LRDP54RANCNFSM4KXG5V5Q> .

Actually $strong is a passed-by-reference argument that is defined as a result of the function. Openssl uses it to tell you if the bytes are sufficiently random or not.

You're right, sorry! Thanks for your answer.

Thanks!
A minor improvement, for clearer intention and lower complexity:

    if (false !== $bytes && true === $strong) {
        return $bytes;
    }
    else {
        throw new \Exception("Unable to generate secure token from OpenSSL.");
    }

into

    if (false !== $bytes && true === $strong) {
        return $bytes;
    }
    throw new \Exception("Unable to generate secure token from OpenSSL.");

I know some people use this style but I actually avoid it because I think the intention is less clear and the complexity ends up being the same at the bytecode / execution level. There was recently a major openssl bug that happened because it wasn't obvious upon reading that a block would/wouldn't return/cascade under certain circumstances, leaving a gaping hole in security because there was a case that was neither returned nor thrown and essentially security was bypassed. So I get that they're functionally the same and there's possibly less room for an "else" hanging out doing something weird, but I personally like explicitly making it clear that it's my intent to either do one thing or the other and you've gotta look inside to see which is which. Otherwise I feel it's easy to skim the code and miss the fact that there's return/throw statements in there and no further execution is possible.

…

On Thu, Aug 13, 2020, 4:16 AM Robin Radic ***@***.***> wrote: ***@***.**** commented on this gist. ------------------------------ Thanks! A minor improvement, for clearer intention and lower complexity: if (false !== $bytes && true === $strong) { return $bytes; } else { throw new \Exception("Unable to generate secure token from OpenSSL."); } into if (false !== $bytes && true === $strong) { return $bytes; } throw new \Exception("Unable to generate secure token from OpenSSL."); — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <https://gist.github.com/7217f566fc83a9633959#gistcomment-3416086>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAL2MQHNX3AYCBP3D3CPZLSAPDRFANCNFSM4KXG5V5Q> .

Thanks, excellent code, I will definitely use it in my projects :)