Password generation: the honest guide for developers

I've encountered numerous instances where a poorly designed password generator has led to security breaches. A recent example that comes to mind is a web application that used a si

June 6, 2026·5 min read·By Shubham Singla

#security#passwords

I've encountered numerous instances where a poorly designed password generator has led to security breaches. A recent example that comes to mind is a web application that used a simple random number generator to create passwords for new users. The passwords were short, usually eight characters long, and consisted of only uppercase and lowercase letters. As a result, the application was vulnerable to brute-force attacks, and it wasn't long before a malicious actor gained access to the system. This experience taught me the importance of using a reliable password generator that prioritizes entropy over length.

#TL;DR

A good password generator should prioritize entropy over length
Diceware is a more secure method of generating passwords than random character generation
Managers are more effective at securing passwords than relying on user memorization
Server-side generation pitfalls can lead to security breaches if not properly addressed
Using a reputable password generator is crucial for securing user accounts

#Introduction to Password Generation

Password generation is a critical aspect of security, and it's essential to understand the difference between entropy and length. Entropy refers to the amount of uncertainty or randomness in a password, while length refers to the number of characters it contains. A longer password does not necessarily mean it's more secure, as a shorter password with high entropy can be more resistant to brute-force attacks.

#Entropy vs Length

To illustrate the difference between entropy and length, consider a password that consists of a combination of letters, numbers, and special characters. This password has high entropy because it's difficult to predict the next character in the sequence. On the other hand, a longer password that consists of only letters or numbers has lower entropy, making it more vulnerable to attacks.

#Password Generator Methods

There are several methods of generating passwords, including random character generation and diceware. Random character generation involves using a pseudorandom number generator to create a sequence of characters, while diceware involves using a list of words to create a passphrase. Diceware is generally considered more secure because it's more resistant to brute-force attacks.

#Diceware Example

Here's an example of how to use diceware to generate a passphrase:

import random

# List of words
words = ["apple", "banana", "cherry", "date", "elderberry"]

# Generate a passphrase
passphrase = " ".join(random.choice(words) for _ in range(5))

print(passphrase)

This code generates a passphrase by randomly selecting five words from the list.

#Server-Side Generation Pitfalls

Server-side generation pitfalls can lead to security breaches if not properly addressed. One common pitfall is using a predictable random number generator, which can allow an attacker to guess the password. Another pitfall is storing passwords in plaintext, which can allow an attacker to access the password if they gain access to the server.

#Secure Random Number Generation

To avoid using a predictable random number generator, it's essential to use a secure random number generator, such as the one provided by the Crypto/getRandomValues API. This API generates a sequence of cryptographically secure random numbers that can be used to generate passwords.

#Using a Password Generator

Using a reputable password generator is crucial for securing user accounts. A good password generator should prioritize entropy over length and use a secure random number generator. It's also essential to store passwords securely, using a method such as bcrypt or Argon2.

#Password Storage

To store passwords securely, it's essential to use a method that's resistant to brute-force attacks. One such method is bcrypt, which uses a salted hash to store passwords. Here's an example of how to use bcrypt to store a password:

import bcrypt

# Generate a salt
salt = bcrypt.gensalt()

# Hash the password
hashed_password = bcrypt.hashpw("password".encode("utf-8"), salt)

print(hashed_password)

This code generates a salted hash of the password, which can be stored securely.

#Common mistakes

Using a predictable random number generator to generate passwords
Storing passwords in plaintext
Using a password generator that prioritizes length over entropy
Not using a secure method to store passwords
Not using a reputable password generator
Not regularly updating the password generator to ensure it's using the latest security patches

#FAQ

#Is a longer password always more secure?

No, a longer password is not always more secure. A shorter password with high entropy can be more resistant to brute-force attacks than a longer password with low entropy.

#How do I generate a secure random number?

You can generate a secure random number using the Crypto/getRandomValues API, which provides a sequence of cryptographically secure random numbers.

#What is diceware?

Diceware is a method of generating passwords that involves using a list of words to create a passphrase. It's generally considered more secure than random character generation because it's more resistant to brute-force attacks.

#Can I use Base64 encoding to secure my passwords?

No, Base64 encoding is not a secure method of storing passwords. You can use our Base64 encode-decode tool to encode and decode Base64 strings, but it's not suitable for securing passwords.

#How do I store passwords securely?

You can store passwords securely by using a method such as bcrypt or Argon2, which uses a salted hash to store passwords. You can paste the hashed password into our password generator to verify its security.

#Wrapping up

In conclusion, a good password generator should prioritize entropy over length and use a secure random number generator. It's also essential to store passwords securely, using a method such as bcrypt or Argon2. By following these best practices and using a reputable password generator, you can help secure your users' accounts and protect against security breaches. For more information on password security, you can refer to the NIST Special Publication 800-63-3, which provides guidelines for password security.

All posts →

June 19, 2026 · 4 min read

How to decode a JWT: the safe way in 2026

When working with authentication systems, I often encounter JSON Web Tokens (JWTs) that need to be decoded and verified. A JWT is a compact, URL-safe means of representing claims t

June 13, 2026 · 5 min read

HTML escape and unescape: stopping XSS in modern web apps

I've worked on numerous web applications, and one common issue that I've encountered is the risk of cross-site scripting (XSS) attacks. XSS occurs when an attacker injects maliciou

June 7, 2026 · 5 min read