This page contains a strong random password generator. The password is generated in your browser and never sent over the Internet.
ContentsWhat is a good random password like? Online password generator What if you don't like the generated password? How this random password generator works Other password generators Norton Password Generator XKCD Random Password Generator Secure Password Generator
What is a good random password like?
State-of-the-art password guessing software is able to guess passwords up to about 14-16 characters (as of 2017). Unfortunately, this is more than most people can remember. For most non-critical Internet services, shorter passwords (e.g., eight random characters, or three random words) are usually enough.
If you are generating passwords for servers or other security-critical applications, we recommend using the maximum length passwords (16 characters).
Online password generator
If you don't like the generated password, you can always generate a new one. You might want to do this, for example, if the words seem hard to remember. Just click "Generate password" again, as many times as you like. Theoretically selecting from multiple passwords makes them a bit weaker, but in practice this does not matter.
If you need a password with special characters, keep clicking on the "Generate password" button until the generated password contains a special character. You can also take just part of the generated password, and add your own characters for extra security.
How this random password generator works
For the technically minded people, here is how this strong password generator works:
- Approximately 120 bits of randomness is fetched from https://www.random.org. This ensures good password quality even with old browsers.
- 128 bits of cryptographic quality random data is added from your web browser (window.crypto.getRandomValues). Modern browsers support this, but older browsers do not. This random data ensures security of the password even against parties capable of reading HTTPS-encrypted data.
- 32-bits of non-cryptographic quality randomness is added from your web browser (Math.random), just as an extra security measure.
- The random data from all three sources is concatenated, and the SHA256 hash function is used to derive a raw password from them.
- The result is truncated to your requested password length (96, 64, or 48 bits, based on strength).
- The truncated value is encoded either using BASE64 encoding (with = characters removed from the end) or by using a dictionary of 65536 words to encode each 16 bit group into a random word.
- The resulting password is then displayed.
Other password generators
Norton Password Generator
The Norton password generator is (was?) is part of Norton's IdentitySafe suite and was available at https://identitysafe.norton.com/password-generator/. It's main difference to our generator is that the Norton password generator generates the password on the server (June 2017). This means that the method they use for generating the password cannot be independently verified, and anyone capable of breaking HTTPS encryption will be able to read the password while it is transmitted over the network. It is known that many governments routinely break HTTPS by using fake certificates or weaknesses in the SSL and TLS protocols. Consequently, we do not recommend using the Norton Password Generator.
XKCD Random Password Generator
The XKCD Random Password Generator does not use any cryptographic entropy on the client side. While it gets some entropy from the server, its source and quality is not known. The fact that no client-side cryptographic entropy is included suggests limited of knowledge of cryptography and randomness. The generated passwords (four-word combinations) contain less than 44 bits of randomness. This is too little - it is even less than our Weak passwords. Such passwords can be broken with brute force attacks in relatively short time. However, worst of all, it does not use HTTPS and sends the generated passwords over the network in the clear (June 2017). Thus, we absolutely do not recommend using the XKCD Random Password Generator. You can generate stronger passwords consisting of words using the password generator on this page.
Secure Password Generator
The so called Secure Password Generator at http://passwordsgenerator.net/ suffers from several weaknesses. Most importantly, it generates the password on a server using an AJAX call, and transmits the password over the internet WITHOUT ENCRYPTION. This, almost anyone can see your password from the network and intelligence agencies are likely to record such traffic (June 2017). Furthermore, the password is generated on the server, with no means of verifying how it is generated. Thus, we absolutely do not recommend using it for generating any passwords.
Becoming passwordless with PrivX by SSH Communications Security
One of the best ways to mitigate the password risk is by adopting passwordless authentication methods. This is particularly recommended in critical infrastructures and large IT environments, since it eliminates the need to enforce traditional password policies, manage passwords and rotate passwords in general. Passwordless authentication ensures that the user does not see or handle any secrets required to establish a connection nor does it leave behind any passwords than can be stolen or broken with any type of password attack.
PrivX by SSH allows users to authenticate themselves to IT and OT targets with passwordless authentication and without the need for the administrator to vault, rotate or otherwise manage passwords.