Password generators are a fantastic tool. None of us should reuse passwords, and what we tend to come up with off the top of our heads isn’t as hack-proof as we’d like to think. However, not all password generators are secure. So when it comes to the question of using any old online password generator, our immediate gut reaction is a resounding “NO!”
That said, it depends. Secure password generators, like those connected to password managers, use cryptographically secure pseudo-random number generators or have offline functionality so that you can generate passwords to your heart's content without the risk of anyone sneaking a look through your Internet connection.
Why are password generators only pseudo-random? Because they use algorithms. Computers can’t actually be random—they need a seed number to kickstart the algorithm. All results seem randomized, but they actually aren’t.
“Password managers and other computer programs use what's called a pseudo-random algorithm. This algorithm starts with a number called a seed. The algorithm processes the seed and gets a new number with no traceable connection to the old, and the new number becomes the next seed. The original seed never turns up again until every other number has come up. If the seed was a 32-bit integer, that means the algorithm would run through 4,294,967,295 other numbers before a repeat.”–PCMag
If you’re using a random site that popped up in your first Google results, we advise that you run. For basic cybersecurity reasons, you don’t know the website and who might be monitoring it on the sly. You don’t know if they’re keeping your data and storing passwords in a very hackable HQ server. And you probably didn’t check if the website in question is using a regular pseudo-random number generator or a cryptographically secure pseudo-random number generator. While we don’t normally advise believing any random technical mumbo jumbo descriptors you see, let us just say that secure password managers use the latter, while an SSL-less website with a name like “SUPER SECURE PASSWORD GENERATOR” likely does not.
There are also offline password generators out there, like this one. You pull it up, disconnect from the Internet, do your thing, and clear your cache before reconnecting. You could also create your own random password generator if you’re skeptical of Internet security standards and have the time to do so.
Password generators give you a lot of options before spitting out a string of characters. You can choose length, character type, and whether you want it to be fairly memorable or readable. Granted, using a password manager in the first place means you can make intense passwords without having to worry about remembering them. Take the LastPass generator, for example:
Experts often recommend an 8-character password at a minimum. Like with most professionally recommended minimums, you probably want to go higher. LastPass opens the generator with the length set to 20, but 16 characters is a good bet—for passphrases, this comes out to 3 or 4 words unless you’re going for a Scrabble high score. Another reason for extra length in randomly generated passwords? You don’t know how the generator is set up to work. It may have unseen settings that make the generated password significantly less random than it appears. As PCMag continues in their blog linked above, some generators are set to use all character types available: uppercase, lowercase, numbers, and symbols. The shorter your password, the fewer options possible:
“There are 40,960,000 possible four-character passwords, drawing from a collection of 80 characters. But some password generators force selection of at least one from each type of character, and that shaves down the possibilities drastically...our 40 million possibilities dwindle to 1,209,600.
Using all character sets is a necessity for many websites. To avoid letting that requirement shrink your password pool, set the password length high. When the password is long enough, the effect of forcing all character types becomes negligible.” —PCMag
Passphrases are strings of random words used as passwords. They’re hard to randomly guess but easy to remember. You could use the name of your cat with zeroes for o’s and some random punctuation on the end and think you have a strong password. But everyone knows the common substitutions, and how likely are you to remember which random punctuation you threw in there, anyway? This XKCD classic is regularly circulated for a reason:
Another memorable passphrase example could be something like “person woman camera tv,” but we wouldn’t recommend that specific example as a secure choice.
Humans are terrible at randomization. Odds are, your choice of a passphrase is going to be fairly crackable. Luckily, some password managers, like 1Password, include a passphrase generator feature in their usual password generator tools. Or you could have some fun and roll the dice for a truly random outcome, and open a book to the page number you rolled and pick the first decently long word you see. (Okay, “fun” could be in the eye of the beholder in this situation.) Another option is a mnemonic device for remembering an otherwise nondescript phrase.