You’ve just signed up for a new secure site, and it’s asking for your password. So, what exactly do you do? Use your birthday or the name of your labradoodle? Put in your favorite password, which you use everywhere. Peek at the keyboard at random and hope you remember your password, which is m4i/enH? All of them are horrible ideas. What you’ll need is a password manager that will both store and secure your passwords. For starters, every new account will have a long, strong, and random password. As time allows, you’ll improve the passwords on your existing accounts. But don’t waste time fumbling with your keyboard to come up with passwords—your password manager can assist you.
You don’t have to come up with those odd passwords because almost every password manager contains a password generator. (However, if you prefer a DIY approach, we’ll show you how to create your own random password generator.) Not all password generators, however, are made equal. When you understand how they work, you can choose the best one for you and make wise use of the one you already have.
Table of Contents
Random or Non-Random Password Generators?
When you roll a pair of dice, the outcome is completely unpredictable. Nobody knows if you’ll receive snake eyes, boxcars, or the fortunate seven. Physical randomizers, such as dice, are not available in the computer world. There are a few random number generators based on radioactive decay, but you won’t find them in your typical password manager.
A pseudo-random algorithm is used by password managers and other computer tools. The seed is the first number in this procedure. The seed is processed by the algorithm, which generates a new number with no traceable relationship to the old, which then becomes the next seed. The original seed does not appear again until all of the other numbers have been called. If the seed were a 32-bit integer, the method would loop through 4,294,967,295 numbers before repeating.
This is sufficient for most people’s password generation needs on a daily basis. However, a knowledgeable hacker might conceivably figure out the pseudo-random technique utilized. With that information and the seed, the hacker could theoretically reproduce the random number sequence (though it would be difficult).
Except in the case of a deliberate nation-state attack or business espionage, such targeted hacking is extremely improbable. Your security suite is unlikely to be able to protect you if you are the target of such an assault. Fortunately, you’re virtually definitely not a target for cyber espionage of this nature.
Despite this, a few password managers try hard to eliminate even the remote chance of a targeted attack. They get a really random outcome by adding your own mouse movements or random characters into the random algorithm. AceBIT Password Depot, KeePass, and Steganos Password Manager are among the programs that provide real-world randomization. The matrix-style randomizer in Password Depot is shown in the screenshot above; indeed, the characters drop as you move your mouse.
Is it necessary to provide real-world randomization? Most likely not. However, if it makes you happy, go ahead and do it!
Password Managers Reduce Randomness
Naturally, password generators do not provide random numbers. Rather, they return a string of characters, selecting from the available character sets using random numbers. Unless you’re creating a password for a website that doesn’t support special characters, you should always utilize all accessible character sets.
There are 26 capital letters, 26 lowercase letters, and 10 numbers in the character pool. It also includes a set of unique characters that may differ from one product to the next. Let’s pretend there are 18 special characters accessible for the sake of simplicity. There are a total of 80 characters to chose from, which is a great round number. There are 80 possible combinations for each character in a completely random password. The number of possibilities for an eight-character password is 80 to the eighth power, or 1,677,721,600,000,000—more than a quadrillion. For a brute-force cracking attempt, that’s a lot of slogging, because brute-force guessing is the only way to crack a really random password.
Of course, a completely random generator will ultimately yield aaaaaaaa and Covfefe! and 12345678, because any other sequence of eight letters is just as likely. Some password generators actively filter their output in order to avoid passwords like these. That’s good, but if a hacker is aware of the filters, the number of choices is reduced, making brute-force cracking slightly easier.
Here’s an extreme case in point. From a pool of 80 characters, there are 40,960,000 four-character passwords to choose from. However, some password generators need at least one character from each type of character, which substantially reduces the number of choices. For the first character, there are still 80 options. Assume it’s an uppercase letter; the second character’s pool is 54. (80 minus the 26 uppercase characters). Assume the second character is a lowercase letter as well. Only numerals and special characters remain for the third character, leaving 28 options. If the third letter is punctuation, the last character must be a digit, giving you a total of ten options. Our 40 million options have shrunk to 1,209,600.
Many websites need the use of all character sets. Set the password length to a high value to avoid having that requirement reduce your password pool. The effect of mandating all character types becomes minor when the password is lengthy enough.
Other restrictions imposed by password managers artificially lower the number of viable passwords. RememBear Premium, for example, specifies the exact number of characters from each of the four character sets, significantly reducing the pool. Two capital letters, two digits, 14 lowercase letters, and no symbols are required by default, for a total of 18 characters. As a result, the password pool is hundreds of millions of times less than if only one or more of each character type was required. Again, you can solve this problem simply increasing the length of your password.
LastPass and a number of other services avoid confusing character pairings like the number 0 and the letter O by default. This isn’t necessary if you don’t need to remember the password; disable it. Similarly, don’t select the option to generate a password that is easy to pronounce, such as xihobuteyo. This option is only useful if you need to remember a password. This choice not only restricts you to lowercase characters, but it also eliminates a large number of options that the password generator finds unpronounceable.
Generate Long Password
As we’ve seen, password generators don’t always choose from the whole pool of possible passwords that satisfy the length and character sets you choose. About 97 percent of all conceivable four-character passwords never appear in the extreme example of a four-character password using all character sets. The answer is simple: go for broke! Because you don’t have to remember these passwords, they might be quite long. At least, as big as the website in issue allows; certain websites do have limitations.
A brute force assault would take longer to get your password if the search space (what I’ve been calling the pool of potential passwords) was larger. To gain a sense of the value of length, use the Password Haystack Calculator (as in, needle in a haystack) from the Gibson Research website.
Simply type in a password to see how long it will take to crack it. (According to the website) “Nothing you do on this site is ever saved outside of your browser. What happens in this room stays in this room.” However, you should use caution and avoid using your genuine credentials). If the hacker has to send guesses online, a four-character password like f percent J3 would take less than a day to crack. Cracking time is a fraction of a second in an offline scenario, where the hacker can make guesses at a fast speed.
Choose the Best Password Manager
So now you know: that making long passwords is the most crucial component in creating secure, random passwords. Some password generators reject passwords that don’t contain all character sets, some reject passwords with integrated dictionary terms, and still others discard passwords containing ambiguous characters like tiny l and digit 1. All of these limits reduce the number of viable passwords, but when the length is sufficient, this limitation becomes irrelevant.
Of course, it’s theoretically (if not realistically) feasible that a hacker might obtain access to your favorite password manager’s password generating process and so predict the pseudo-random passwords it generates. Your random passwords could be sent back to corporate headquarters via a dodgy password manager tool. This is true paranoia on a tinfoil hat level of anxiety. You can develop your own random password generator in Excel if you don’t want to rely on someone else for your random passwords.