How To Create Friendlier Random Passwords

    Craig Anderson

    One aspect of web applications which is almost always overlooked when it comes to accessibility is how easy any randomly generated string might be to read. If you’re lucky enough to have near perfect vision and have no learning or cognitive disabilities such as dyslexia, you mightn’t suffer from any problems reading randomly generated strings, but for many users distinguishing between zero and upper-case Os, ones and lower-case Ls, and even the letters b and d can be difficult.

    So, in a recent project which required me to automatically generate passwords on request, I decided to put this into practice with the following PHP function:

    function GenerateRandomString($length) {
    	$characters = array('2', '3', '4', '5', '6', '7', '8', '9',
    			'a', 'c', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'm', 'p',
    			'q', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z');
    	$randomString = "";
    	while(strlen($randomString) < $length) {
    		$randomCharacterIndex = rand(0, count($characters) - 1);
    		$randomString .= $characters[$randomCharacterIndex];
    	return $randomString;

    Nothing too special going on here, except that the sometimes troublesome pairs of characters mentioned previously have been eliminated.

    Now, it’s true that if we use this function to generate passwords, the passwords created will be less secure — this function can only create 285 (17 million) different five-character passwords whereas if I had included the missing characters this number would’ve been 365 (60 million). That’s a trade-off you’ll have to accept in return for fewer frustrated users having difficulty logging on to your site, which can be mitigated by forcing users to change their generated password to something chosen by them.

    Note: If you know of any other characters that people have trouble with, leave a comment and I’ll update this post. Thanks!