rand() function rand does not generate cryptographically secure values, and should not be used for cryptographic purposes. Min and max are inclusive. mt_rand() used to be used in place of ran() because it was faster, but from PHP7.1 rand uses same as mt_rand. Cryptographically secure random number generators random_int() random_bytes() openssl_random_pseudo_bytes()

openssl_random_pseudo_bytes is used for cryptographical randomness where rnd() isn't suitable $salt = openssl_random_pseudo_bytes(22); $salt = substr(strtr(base64_encode($salt), array('_' => '.', '~' => '/')),0,22); //Sets length to 22 characters