Securing Laravel

Securing Laravel

Share this post

Securing Laravel
Securing Laravel
Security Tip: New Password Generator
Copy link
Facebook
Email
Notes
More

Security Tip: New Password Generator

[Tip#37] To celebrate the release of Laravel 10 this week, let's take a look at one of the new (security) features!

Stephen Rees-Carter
Feb 18, 2023
7
Share

Greetings friends! I hope you all enjoyed last week’s In Depth on Stealing Password Tokens with Forwarded Host Poisoning, and the story I shared about my doomed fix. I’m planning to write more emails covering vulnerabilities like that in the future - although hopefully without more doomed fixes!

This week, we’re celebrating the release of Laravel 10 by looking at a cool new security feature, a secure password generator! We’ve talked about Password Generators before1, but this is a way to generate secure passwords through a core Laravel helper - rather than reaching for `Str::random(32)`2 , a third-party package, or trying to build it yourself3.

Laravel Security In Depth is a bestselling reader-supported publication. Join over 1,850+ Laravel developers, learning about keeping their apps secure each week.

👉 Security Audits: Want me to hack your app and help you improve your security? 🕵️

Looking to learn more?
⏩ Security Tip #21: Non-production Mail Sending
▶️ In Depth #8: Policy Objects

New Password Generator

When generating new passwords, you need an algorithm that uses a cryptographically secure random generator4 to ensure there is enough entropy5 to keep your passwords unguessable. A good way to do this is to generate lengthy passwords with a significant character set that includes lower case and uppercase letters, numbers, and extra symbols.

Laravel 10’s new Password helper lets you do exactly that:

Str::password($length = 32, $letters = true, $numbers = true, $symbols = true, $spaces = false): string;

You can find it over in the docs: https://laravel.com/docs/10.x/helpers#method-str-password.

By default, the helper will return a 32 character incredibly secure password:

> $password = Str::password();
= "eY-j4B<kLf%o/k~x*#&9KUHPU8~!;I?8"

You can change the length, toggle on/off letters, numbers, symbols, and spaces:

> $password = Str::password(
      length:  16, 
      letters: true, 
      numbers: false, 
      symbols: true, 
      spaces:  true
  );
= "$*|[# S*?/Qxj~W,"

Internally it uses `random_int()` to securely build the password from it’s extensive character list6, so it can be considered cryptographically secure.

So the next time you need to generate a password in your app, you can reach straight for `Str::random()`.

Thanks Taylor! 😁

1

Sorry Steve… 😜

2

I do this all the time!

3

Rolling-your-own is almost never a good idea!

4

We talked about this is Tip #19: Cryptographically Secure Randomness.

5

A fancy word used to discuss how guessable a password is. The more entropy it has, the harder it is to guess. It’s roughly equivalent to how many characters it could include and how long it is, but there is a lot of nuance and complexity that we don’t have time to go into here.

6

See: https://github.com/laravel/framework/blob/a501fc23542b43988537cb18f20e4b04907399cf/src/Illuminate/Support/Str.php#L724-L755

7
Share

7 Comments

Commenting has been turned off for this post

No posts

Ready for more?

© 2025 Stephen Rees-Carter
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More