Discover more from Securing Laravel
Security Tip: New Password Generator
[Tip#37] To celebrate the release of Laravel 10 this week, let's take a look at one of the new (security) features!
Greetings friends! I hope you all enjoyed last week’s In Depth on Stealing Password Tokens with Forwarded Host Poisoning, and the story I shared about my doomed fix. I’m planning to write more emails covering vulnerabilities like that in the future - although hopefully without more doomed fixes!
This week, we’re celebrating the release of Laravel 10 by looking at a cool new security feature, a secure password generator! We’ve talked about Password Generators before1, but this is a way to generate secure passwords through a core Laravel helper - rather than reaching for
`Str::random(32)`2 , a third-party package, or trying to build it yourself3.
Laravel Security In Depth is a bestselling reader-supported publication. Join over 1,850+ Laravel developers, learning about keeping their apps secure each week.
👉 Security Audits: Want me to hack your app and help you improve your security? 🕵️
New Password Generator
When generating new passwords, you need an algorithm that uses a cryptographically secure random generator4 to ensure there is enough entropy5 to keep your passwords unguessable. A good way to do this is to generate lengthy passwords with a significant character set that includes lower case and uppercase letters, numbers, and extra symbols.
Laravel 10’s new Password helper lets you do exactly that:
Str::password($length = 32, $letters = true, $numbers = true, $symbols = true, $spaces = false): string;
You can find it over in the docs: https://laravel.com/docs/10.x/helpers#method-str-password.
By default, the helper will return a 32 character incredibly secure password:
> $password = Str::password(); = "eY-j4B<kLf%o/k~x*#&9KUHPU8~!;I?8"
You can change the length, toggle on/off letters, numbers, symbols, and spaces:
> $password = Str::password( length: 16, letters: true, numbers: false, symbols: true, spaces: true ); = "$*|[# S*?/Qxj~W,"
Internally it uses
`random_int()` to securely build the password from it’s extensive character list6, so it can be considered cryptographically secure.
So the next time you need to generate a password in your app, you can reach straight for
Thanks Taylor! 😁
I do this all the time!
Rolling-your-own is almost never a good idea!
A fancy word used to discuss how guessable a password is. The more entropy it has, the harder it is to guess. It’s roughly equivalent to how many characters it could include and how long it is, but there is a lot of nuance and complexity that we don’t have time to go into here.