Password Generator: Complete Guide to Creating Secure Passwords

Why Password Security Matters

Passwords remain the primary authentication method for most systems. A single weak password can compromise your entire digital life.

The State of Password Security

• 81% of breaches involve weak or stolen passwords
• 59% of people reuse passwords across sites
• 23 million accounts used "123456" as their password
• Average person has 100+ online accounts

What Makes a Strong Password?

The Key Factors

• Length: Longer is better (16+ characters recommended)
• Complexity: Mix of character types
• Randomness: Truly random, not predictable
• Uniqueness: Different for every account

Password Entropy

Entropy measures password unpredictability in bits:

Password Type	Example	Entropy
4-digit PIN	1234	~13 bits
8 lowercase	abcdefgh	~38 bits
8 mixed case	AbCdEfGh	~46 bits
8 all types	A1b@C3d!	~52 bits
16 all types	A1b@C3d!E5f#G7h%	~105 bits
4 random words	correct-horse-battery-staple	~44 bits

Recommended: 80+ bits of entropy for important accounts.

Entropy Calculation

// Entropy = log2(pool_size ^ length)
// Or: length * log2(pool_size)

function calculateEntropy(length, poolSize) {
  return length * Math.log2(poolSize);
}

// Examples:
// 8 lowercase letters (26 chars)
calculateEntropy(8, 26);  // ~38 bits

// 12 mixed case + numbers (62 chars)
calculateEntropy(12, 62); // ~71 bits

// 16 all types (95 printable ASCII)
calculateEntropy(16, 95); // ~105 bits

Types of Password Generation

Random Character Passwords

x7#Kp9@mN2$qL5!w

Pros:

• High entropy per character
• Compact length

Cons:

• Hard to memorize
• Difficult to type

Passphrase (Word-based)

correct-horse-battery-staple
umbrella-quantum-bicycle-festival

Pros:

• Easier to remember
• Easier to type
• Can be very secure with enough words

Cons:

• Longer to type
• Need truly random word selection

Pronounceable Passwords

KobutiWefa42
MelopinDart89

Pros:

• Easier to remember than random
• Easier to say/share verbally

Cons:

• Lower entropy than full random
• Pattern may be guessable

Generating Secure Passwords

JavaScript (Browser)

function generatePassword(length = 16, options = {}) {
  const {
    uppercase = true,
    lowercase = true,
    numbers = true,
    symbols = true
  } = options;

  let charset = '';
  if (uppercase) charset += 'ABCDEFGHIJKLMNOPQRSTUVWXYZ';
  if (lowercase) charset += 'abcdefghijklmnopqrstuvwxyz';
  if (numbers) charset += '0123456789';
  if (symbols) charset += '!@#$%^&*()_+-=[]{}|;:,.<>?';

  const array = new Uint32Array(length);
  crypto.getRandomValues(array);

  return Array.from(array, n => charset[n % charset.length]).join('');
}

// Usage
generatePassword(16);
// "x7#Kp9@mN2$qL5!w"

generatePassword(20, { symbols: false });
// "Kp9mN2qL5wRt8yUi3oAz"

Node.js

const crypto = require('crypto');

function generatePassword(length = 16) {
  const charset = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*';
  const bytes = crypto.randomBytes(length);
  return Array.from(bytes, b => charset[b % charset.length]).join('');
}

Python

import secrets
import string

def generate_password(length=16, use_symbols=True):
    chars = string.ascii_letters + string.digits
    if use_symbols:
        chars += string.punctuation

    return ''.join(secrets.choice(chars) for _ in range(length))

# Usage
generate_password(16)
# "x7#Kp9@mN2$qL5!w"

Passphrase Generation

// Using a word list (like EFF's diceware list)
const wordList = ['correct', 'horse', 'battery', 'staple', ...]; // 7776 words

function generatePassphrase(wordCount = 4) {
  const array = new Uint32Array(wordCount);
  crypto.getRandomValues(array);

  return Array.from(array, n => wordList[n % wordList.length]).join('-');
}

// Usage
generatePassphrase(4);
// "umbrella-quantum-bicycle-festival"

Password Policies

Recommended Requirements

Requirement	Good	Better	Best
Minimum length	8	12	16+
Character types	2	3	4
No dictionary words	Optional	Recommended	Required
No sequential chars	Optional	Recommended	Required
Unique per account	Required	Required	Required

What NOT to Require

• Frequent changes: Leads to weak passwords
• Arbitrary complexity: "Must have exactly 2 numbers"
• No spaces: Passphrases are valid
• Max length limits: Don't limit strong passwords

NIST Guidelines (2024)

• Minimum 8 characters (longer preferred)
• Allow all printable characters
• No composition rules (uppercase, symbols, etc.)
• Check against breached password lists
• No periodic password changes (unless compromised)
• Allow paste in password fields

Checking Password Strength

Common Checks

function checkPasswordStrength(password) {
  const checks = {
    length: password.length >= 12,
    uppercase: /[A-Z]/.test(password),
    lowercase: /[a-z]/.test(password),
    numbers: /[0-9]/.test(password),
    symbols: /[^A-Za-z0-9]/.test(password),
    noCommon: !commonPasswords.includes(password.toLowerCase()),
    noSequential: !/(.)\1{2,}/.test(password), // No "aaa" or "111"
    noKeyboard: !/(qwerty|asdf|zxcv)/i.test(password)
  };

  const score = Object.values(checks).filter(Boolean).length;

  return {
    checks,
    score,
    strength: score < 4 ? 'weak' : score < 6 ? 'medium' : 'strong'
  };
}

Using Have I Been Pwned API

async function isPasswordBreached(password) {
  // Hash the password
  const encoder = new TextEncoder();
  const data = encoder.encode(password);
  const hashBuffer = await crypto.subtle.digest('SHA-1', data);
  const hashArray = Array.from(new Uint8Array(hashBuffer));
  const hashHex = hashArray.map(b => b.toString(16).padStart(2, '0')).join('');

  // Send only first 5 characters (k-anonymity)
  const prefix = hashHex.slice(0, 5).toUpperCase();
  const suffix = hashHex.slice(5).toUpperCase();

  const response = await fetch(`https://api.pwnedpasswords.com/range/${prefix}`);
  const text = await response.text();

  // Check if our suffix is in the response
  return text.includes(suffix);
}

// Usage
if (await isPasswordBreached('password123')) {
  console.log('This password has been breached!');
}

Password Storage

Never Store Plain Text

// ❌ NEVER do this
db.users.insert({ password: 'user_password' });

// ❌ Still bad - simple hash
db.users.insert({ password: sha256('user_password') });

// ✅ Correct - proper password hashing
const hash = await bcrypt.hash('user_password', 12);
db.users.insert({ password: hash });

Recommended Hashing Algorithms

Algorithm	Recommended	Notes
Argon2id	Yes	Best choice, memory-hard
bcrypt	Yes	Time-tested, widely supported
scrypt	Yes	Memory-hard alternative
PBKDF2	OK	Use high iterations (310,000+)
SHA-256	No	Too fast, no salt by default
MD5	No	Broken, never use

Implementation Example

const bcrypt = require('bcrypt');

// Registration
async function registerUser(email, password) {
  const saltRounds = 12;
  const hashedPassword = await bcrypt.hash(password, saltRounds);

  await db.users.insert({
    email,
    password: hashedPassword
  });
}

// Login
async function loginUser(email, password) {
  const user = await db.users.findOne({ email });
  if (!user) return false;

  return bcrypt.compare(password, user.password);
}

Password Managers

Why Use One?

• Generate unique passwords for every site
• Remember only one master password
• Autofill credentials securely
• Sync across devices
• Alert on breached passwords

Popular Options

Manager	Open Source	Cloud Sync	Price
Bitwarden	Yes	Yes	Free/Premium
1Password	No	Yes	Paid
KeePass	Yes	Manual	Free
Dashlane	No	Yes	Free/Premium
LastPass	No	Yes	Free/Premium

Best Practices Summary

For Users

• Use a password manager
• Generate random 16+ character passwords
• Never reuse passwords
• Enable 2FA wherever possible
• Check for breaches periodically

For Developers

• Never store plain text passwords
• Use Argon2id or bcrypt
• Allow long passwords (64+ chars)
• Don't enforce arbitrary complexity rules
• Check against breached password lists
• Implement account lockout
• Support 2FA/MFA

Conclusion

Password security is foundational to digital safety. Use a password generator to create strong, unique passwords for every account, and let a password manager handle the complexity.

Use our free Password Generator to create cryptographically secure passwords of any length and complexity.