How to generate a secure password
Understand secure randomness, length, entropy and safe storage so generated passwords remain genuinely useful.
A strong password is hard to guess, unique to one account and stored safely. A generator can solve the first part only when it uses cryptographically secure randomness and a sufficiently large search space. It cannot make password reuse or unsafe storage secure.
Randomness is the foundation
A secure generator chooses characters with a cryptographic random-number generator such as crypto.getRandomValues in the browser. General-purpose pseudo-random functions such as Math.random are designed for simulations and interface effects, not secrets, because their output may be predictable.
Every allowed character should have an unbiased chance of selection. A careful implementation avoids simple modulo bias when mapping random bytes into a character pool and reselects when a value would skew the distribution.
- Use a generator that clearly identifies its secure randomness source.
- Generate on a trusted, updated device.
- Do not send generated passwords to analytics, logs or remote validation services.
Length and character pool determine the search space
For an independently random password, a simple upper-bound entropy estimate is length multiplied by log base 2 of the character-pool size. A longer password creates exponentially more possibilities. Requiring at least one character from every group changes the exact distribution slightly, so an entropy display should be treated as an estimate rather than a guarantee.
Length is usually the easiest way to add strength. Symbols can expand the pool, but some services restrict them. Use the longest generated password the service accepts and let a password manager handle memorisation.
Constraints improve compatibility, not always entropy
An account may require uppercase, lowercase, numbers or symbols. Requiring one from each enabled group ensures the output satisfies that format, while excluding ambiguous characters can make manual typing easier. Avoiding adjacent repeats improves readability but removes possible outcomes and therefore does not make the mathematical search space larger.
Never weaken a password to satisfy an outdated form until you know its actual rules. If a site silently truncates passwords or rejects password-manager paste, consider that a security warning and use its strongest supported option.
- Enable only groups accepted by the destination.
- Use ambiguous-character exclusion for codes that must be read aloud or typed manually.
- Do not assume visual complexity matters more than random length.
Every account needs a unique password
Reusing one excellent password allows a breach at one service to threaten every other service. Generate a different value for every account and save it in a reputable password manager. Do not email passwords to yourself or keep an unencrypted plain-text list.
Turn on multi-factor authentication where available, preferably with a phishing-resistant method. MFA complements a strong password; it does not make a weak or reused password harmless.
Use the generator privately
A browser generator should create values locally and never store, log or analyse them. Confirm that no account or network request is required. Copy only the password you need, paste it directly into the destination and password manager, then clear the page and clipboard if the device environment makes that appropriate.
No generator can recover a lost value it never stored. Save the password successfully before closing the page, and use the service's recovery codes and account-recovery settings responsibly.
Avoid common password mistakes and match the threat
A generated password protects against guessing and credential reuse, but it cannot protect a compromised device, a convincing phishing page or a service that stores credentials badly. Verify the destination domain before pasting, keep devices and password-manager software updated, and review breach notifications through trusted account channels. Never type a password into a strength checker that sends it to an unknown server.
Security questions, recovery email and one-time recovery codes can bypass the main password, so protect them with equal care. For a password you must remember, a randomly generated multi-word passphrase can be more usable than a shorter jumble, provided the words are independently selected rather than a quotation or personal phrase. Service-specific rules and organisational policy still take priority.
- Do not encode a password in a QR code unless everyone who can see the code may know it.
- Do not share a password and its second factor through the same channel.
- Replace default and temporary credentials as soon as the system permits.
- Treat entropy figures as modelled estimates, not promises of account safety.