Generating Random Passwords In ColdFusion Based On Sets Of Valid Characters

By Ben Nadel on January 24, 2007

Richard White over on CF-Talk asked about generating random passwords in ColdFusion based on his particular business rules. These rules included:

Must be exactly 8 characters in length
Must have at least 1 number
Must have at least 1 uppercase letter
Must have at least 1 lower case letter

Tom Chiverton suggested using ASCII values and randomization, which is a great suggestion. In fact, it is one that I have used myself many times in the past. However, I created this demo based on explicitly defined sets of character data as I feel that it has some benefits; it is more readable and allows for more flexibility in what the character sets are (just my opinion).

That being said, here is the algorithm I came up with in ColdFusion to generate the random passwords:

<!---
	We have to start out be defining what the sets of valid
	character data are. While this might not look elegant,
	notice that it gives a LOT of power over what the sets
	are without writing a whole lot of code or "condition"
	statements.
--->

<!--- Set up available lower case values. --->
<cfset strLowerCaseAlpha = "abcdefghijklmnopqrstuvwxyz" />

<!---
	Set up available upper case values. In this instance, we
	want the upper case to correspond to the lower case, so
	we are leveraging that character set.
--->
<cfset strUpperCaseAlpha = UCase( strLowerCaseAlpha ) />

<!--- Set up available numbers. --->
<cfset strNumbers = "0123456789" />

<!--- Set up additional valid password chars. --->
<cfset strOtherChars = "~!@##$%^&*" />

<!---
	When selecting random value, we want to be able to easily
	choose from the entire set. To this effect, we are going
	to concatenate all the previous valid character sets.
--->
<cfset strAllValidChars = (
	strLowerCaseAlpha &
	strUpperCaseAlpha &
	strNumbers &
	strOtherChars
	) />


<!---
	Create an array to contain the password ( think of a
	string as an array of character).
--->
<cfset arrPassword = ArrayNew( 1 ) />


<!---
	When creating a password, there are certain rules that we
	need to follow (as deemed by the business logic). That is,
	the password must:

	- must be exactly 8 characters in length
	- must have at least 1 number
	- must have at least 1 uppercase letter
	- must have at least 1 lower case letter
--->


<!--- Select the random number from our number set. --->
<cfset arrPassword[ 1 ] = Mid(
	strNumbers,
	RandRange( 1, Len( strNumbers ) ),
	1
	) />

<!--- Select the random letter from our lower case set. --->
<cfset arrPassword[ 2 ] = Mid(
	strLowerCaseAlpha,
	RandRange( 1, Len( strLowerCaseAlpha ) ),
	1
	) />

<!--- Select the random letter from our upper case set. --->
<cfset arrPassword[ 3 ] = Mid(
	strUpperCaseAlpha,
	RandRange( 1, Len( strUpperCaseAlpha ) ),
	1
	) />


<!---
	ASSERT: At this time, we have satisfied the character
	requirements of the password, but NOT the length
	requirement. In order to do that, we must add more
	random characters to make up a proper length.
--->


<!--- Create rest of the password. --->
<cfloop
	index="intChar"
	from="#(ArrayLen( arrPassword ) + 1)#"
	to="8"
	step="1">

	<!---
		Pick random value. For this character, we can choose
		from the entire set of valid characters.
	--->
	<cfset arrPassword[ intChar ] = Mid(
		strAllValidChars,
		RandRange( 1, Len( strAllValidChars ) ),
		1
		) />

</cfloop>


<!---
	Now, we have an array that has the proper number of
	characters and fits the business rules. But, we don't
	always want the first three characters to be of the
	same order (by type). Therefore, let's use the Java
	Collections utility class to shuffle this array into
	a "random" order.

	If you are not comfortable using the Java class, you
	can create your own shuffle algorithm.
--->
<cfset CreateObject( "java", "java.util.Collections" ).Shuffle(
	arrPassword
	) />


<!---
	We now have a randomly shuffled array. Now, we just need
	to join all the characters into a single string. We can
	do this by converting the array to a list and then just
	providing no delimiters (empty string delimiter).
--->
<cfset strPassword = ArrayToList(
	arrPassword,
	""
	) />

I ran that a bunch of times and here is the list of passwords it created:

RQ5nYqR1
QL3!g8TD
*dZWd5rP
I5Jvna!5
MqG%T38b
IgD1BLq^
!~51gpZC

As you can see, it is quite random (at least for my powers of perception) and each one complies with the business rules laid out. Of course, if your business rules change, you would have to update the algorithm as needed (and anyone let me know if they want to see a demo of that (based on their business rules)).

Want to use code from this post? Check out the license.

Short link: https://bennadel.com/go/488

Reader Comments

Sam Mitchell Jan 24, 2007 at 4:47 PM

1 Comments

Not that it matters but you should remove the letters "o", "i" and "s" from the strLowerCaseAlpha variable so the end user won't confuse their uppercase values with 0, 1 and 5.

Ben Nadel Jan 24, 2007 at 4:53 PM

15,674 Comments

Sam,

While I am not sure I am completely on board with that decision (but I do completely understand it), your comment goes quite nicely with the idea behind using character sets rather than spans of ASCII values. By using a set of characters, it makes it so easy to pick and choose which characters don't make the cut.

Nicely done.

Phil Duba Jan 24, 2007 at 5:07 PM

3 Comments

I'd second Sam's comment but also include the lower case L from exclusion as on some fonts that looks the same as a 1 or capital I, not that I've ever confused them before ;)

Ben Nadel Jan 24, 2007 at 5:22 PM

15,674 Comments

When I first responded, I forgot that we were GENERATING passwords and was thinking just about passwords in general, which is why I was hesitant to get on board with the character restricitions. But now that I remember we are dealing with generating (hey, I have a lot on my mind), I totally agree. No need to confuse the end user.

Andy May 1, 2007 at 3:05 PM

1 Comments

Thanks a ton for your code. I was looking to create a cfscript function to do this so I did the simple mods on what you wrote to make it a function. Here is the code I created from the code in the original comment.

<cfscript>
/** generatePassword - this function will produce a randomly genereated password
* that is 8 characters long and includes at least one number, lower case letter,
* and upper case letter
*
* none cfscript code found at www.bennadel.com/blog/488-Generating-Random-Passwords-In-ColdFusion-Based-On-Sets-Of-Valid-Characters.htm
* adapted to cfscript code by Andy Marks
*
* @return the generated password
*/
function generatePassword()
{
var strLowerCaseAlpha = "abcdefghijklmnopqrstuvwxyz";
var strUpperCaseAlpha = UCase( strLowerCaseAlpha );
var strNumbers = "0123456789";
var strOtherChars = "!@##$%&*";
var strAllValidChars = (strLowerCaseAlpha & strUpperCaseAlpha & strNumbers & strOtherChars);
var arrPassword = ArrayNew(1);
var strPassword = "";
var intChar = 0;

arrPassword[ 1 ] = Mid(strNumbers,RandRange( 1, Len( strNumbers ) ),1);
arrPassword[ 2 ] = Mid(strLowerCaseAlpha,RandRange( 1, Len( strLowerCaseAlpha ) ),1);
arrPassword[ 3 ] = Mid(strUpperCaseAlpha,RandRange( 1, Len( strUpperCaseAlpha ) ),1);
for(intChar = ArrayLen(arrPassword) + 1; intChar LTE 8; intChar = intChar + 1)
{
arrPassword[ intChar ] = Mid(strAllValidChars,RandRange( 1, Len( strAllValidChars ) ),1);
}
CreateObject( "java", "java.util.Collections" ).Shuffle(arrPassword);
strPassword = ArrayToList(arrPassword,"");
return strPassword;
}
</cfscript>

Ben Nadel May 1, 2007 at 3:19 PM

15,674 Comments

Looks good dude. The only modification I would suggest is to pass in a password length (gt 4) to the function. Right now, you have hard coded 8. It might be a nice little dynamic feature. But looks good.

Chris Chin May 3, 2007 at 7:09 PM

1 Comments

Freakin' awesome dude! Love it and using it! You helped a bunch!

Ben Nadel May 3, 2007 at 7:28 PM

15,674 Comments

Player. Glad to help. Hit me up if you get stuck anywhere.

Peter Bell Dec 3, 2008 at 11:38 AM

55 Comments

Thanks man - just needed this for a quick data conversion project. Worked like a charm (once I got rid of the white space which was hurting my eyes :-))

Thanks!

Ben Nadel Dec 3, 2008 at 11:49 AM

15,674 Comments

@Peter,

Ha ha, you love the white space, you know it.

matt Jul 8, 2010 at 11:50 AM

6 Comments

Ben, I used this today and it saved me a ton of time, I can't give you enough props or thank you enough for your entire site.

Ben Nadel Jul 9, 2010 at 10:18 AM

15,674 Comments

@Matt,

Thanks a lot! I really appreciate hearing that.

Jim Eisenhauer Nov 1, 2010 at 10:00 AM

2 Comments

You just saved me a ton of time and research, I just love how when I need to find something your blog usually has the answer, thanks for your continual contribution to the community!

Ben Nadel Nov 1, 2010 at 8:47 PM

15,674 Comments

@Jim,

Absolutely my pleasure! I'm so happy that posts like this continue to deliver value :)

Holly Nov 2, 2010 at 2:55 PM

1 Comments

Nice looking piece of code (as usual) - you just saved me some time!

Ben Nadel Nov 3, 2010 at 10:35 AM

15,674 Comments

@Holly,

Always happy to help out :)

Preston Jan 5, 2011 at 6:46 PM

1 Comments

Thanks! You saved my some time for sure.

Andy G. Feb 18, 2011 at 1:55 PM

2 Comments

Thanks Ben, I was starting to write my own and decided to check out your site (once again) since you are the CF King!
So many times your site has helped me with my projects.
I owe you a few brews if you are ever in upstate NY!

Ben Nadel Feb 23, 2011 at 10:20 AM

15,674 Comments

@Andy,

Ha ha, always glad to help! Where in NY do you live (I'm in NYC).

Andy G. Feb 23, 2011 at 10:25 AM

2 Comments

@Ben,

Elmira, Corning area (lots of micro-brews and loads of finger lakes wine!)

Ben Nadel Feb 23, 2011 at 10:30 AM

15,674 Comments

@Andy,

Ah, pretty far out west (relatively speaking).

Sandi Schleicher May 13, 2011 at 6:38 PM

1 Comments

Ben, even 4+ years after your original post this is still coming in handy! You are always a great source for solutions or at least a fresh perspective when trying to solve a problem. Thanks again! Keep up the good work!

Eric Bourland Sep 19, 2011 at 2:27 PM

1 Comments

Andy Marks, and Ben, this cfscript came in really handy. Thanks for writing it.

Eric

Anna Sep 19, 2011 at 2:53 PM

383 Comments

cool! There've been many times when I have wanted to do something like this, but as usual am coming across the post late. I can agree with the confusing users thing. When I first read the thing about the I, I forgot about fonts, and I thought O's where the only necessary thing...since I have confused them myself even in just coding (what is worse is that the keys on the board are so close to each other, it is easy to hit the wrong one without realizing it). In the font I usually use, the I has definite lines on top and bottom, and the 1 has a line at the top, but only on one side, slanting down, and of course has the bottom one, so they are pretty distinctive, but I could see how in some fonts they probably look very similar. Same with the lowercase l.

David Swain Sep 21, 2011 at 12:07 PM

1 Comments

Just a quick note...if you are calling this file like I am, it might help to put this at the top of the file:
<cfprocessingdirective suppresswhitespace="yes">
<cfsetting enablecfoutputonly="no">
<cfsetting showdebugoutput="no">

...and this at the bottom

<cfoutput>#strPassword#</cfoutput></cfprocessingdirective><cfabort>

...that way you just get the password back. I'm using ajax to call it and then populate a form box with the generated password and I'm working on a dev box with all the debug turned on. The code I put in here keeps it returning just the generated password.

Kevin B Sep 21, 2011 at 1:59 PM

21 Comments

@David

I usually just use

<cfcontent type="application/json" reset="true"><cfoutput>#myvar#</cfoutput><cfabort>

replacing application/json based on the kind of data i'm returning. for example, text/plain text/html or text/xml etc.

Henry Oct 27, 2011 at 6:04 AM

1 Comments

Ben, despite this being 4 years old now it's still great. It's taken me a matter of minutes to add this to a site I'm working on currently - many many thanks. Your blog is always outstanding! Big love from England

Richard Hughes Dec 21, 2011 at 4:41 PM

5 Comments

I wish I scrolled down to see the cfscript version before I did this!

Richard Hughes Dec 21, 2011 at 5:28 PM

5 Comments

Rev 2.0 of this, Ben, can you remove the prior post?

<cfset CreateObject( "java", "java.util.Collections" ).Shuffle(
arrPassword
) />


<cfset strPassword = ArrayToList(
arrPassword,
""
) />

<cfreturn strPassword>
</cffunction>

Marcus Jan 31, 2012 at 3:40 PM

1 Comments

Thanks! This was just what I was looking for.

Shawn May 14, 2012 at 2:58 PM

1 Comments

SWEET!! I always find the best examples on your site \m/ >< \m/

Raghuram Reddy Gottimukkula Jun 19, 2012 at 3:17 PM

13 Comments

Ben,
Need to find the new way of doing the same using java/coldfusion new functions.

Thanks,
Raghuram Reddy Gottimukkula
Hyderabad India.

Elizabeth Adkins May 20, 2014 at 11:57 AM

2 Comments

You're site has been my go to site for years. I put this password code into place years ago and only just now got an error from the * char when coldfusion compared it to the one in a database using SQL (where...password = <cfqueryparam value="#password#" cfsqltype="cf_sql_longvarchar" maxlength="5">). The error was: application error The cause of this output exception was that: coldfusion.tagext.sql.QueryParamTag$InvalidDataException: Invalid data value 4F5*A exceeds maxlength setting 5. I'm guessing coldfusion didn't know exactly what to do with the '*'? Now I'm wondering about the *,#, and % chars since they have can be used for other purposes. Which characters will NOT cause a problem? How about '-' and '_'. Are those safe to put in?

Steven Neiland Jun 10, 2014 at 11:05 AM

61 Comments

Once again you save me time and effort by doing the work for me.

These days I always put +bennadel into google when looking for ColdFusion answer quickly.

Oh my chickens, this post is old!

Hit me up on Twitter if you want to discuss it further.