How to Improve a Password Validation Function in PHP: Ensuring Strong Security and Proper Function Typing

Question

I'm currently developing an admin login page in PHP, which interacts with a MySQL database. To enhance security, I'm focusing on implementing a robust password validation function. However, I've encountered some issues highlighted by PHPStan, particularly related to function typing.

PHPStan reports:

1. "Function validate_password() has no return type specified."

2. "Function validate_password() has a parameter $password with no type specified."

I would appreciate guidance on the following points:

1. What would be the appropriate return type for the validate_password() function?

2. How should I specify the type for the $password parameter?

3. Are there any recommended practices or additional steps I could take to strengthen the password validation process?

Below is my current implementation of the validate_password() function:

// Main Password Validation Function
function validate_password($password)
{
  // Password Policy Definition
  $min_length = 8;
  $max_length = 64;
  $require_uppercase = true;
  $require_lowercase = true;
  $require_numbers = true;
  $require_special_chars = true;
  $max_consecutive_characters = 3;
  $pass_length = mb_strlen($password);


  if (!isset($password) || !is_string($password)) {
    throw new Exception('Password must be a string.');
  }

  if ($password === '' || empty($password)) {
    throw new Exception('Password field cannot be empty.');
  }

  // Check Password Length
  if ($pass_length < $min_length || $pass_length > $max_length) {
    throw new Exception('Password length must be between ' . $min_length . ' and ' . $max_length . ' characters.');
  }

  // Check Character Types in Password
  if ($require_uppercase && !preg_match('/[A-Z]/', $password)) {
    throw new Exception('Password must include at least one uppercase letter.');
  }

  if ($require_lowercase && !preg_match('/[a-z]/', $password)) {
    throw new Exception('Password must include at least one lowercase letter.');
  }

  if ($require_numbers && !preg_match('/\d/', $password)) {
    throw new Exception('Password must include at least one number.');
  }

  if ($require_special_chars && !preg_match('/[\W_]/', $password)) {
    throw new Exception('Password must include at least one special character.');
  }

  // Check for Consecutive Characters
  if (hasTooManyConsecutiveCharacters($password, $max_consecutive_characters)) {
    throw new Exception('Password must not contain more than ' . $max_consecutive_characters . ' consecutive identical characters.');
  }

  return $password;
}


// Function to Detect Too Many Consecutive Identical Characters
function hasTooManyConsecutiveCharacters($password, $limit)
{
  $regex = '/(.)\\1{' . $limit . ',}/';
  return preg_match($regex, $password);
}

call function when submit

if ($_SERVER["REQUEST_METHOD"] == "POST") {
  try {
    $password = validate_password($_POST['password']);
}

Any suggestions or best practices for enhancing the security and efficiency of this function would be greatly appreciated.