Passwords are terrible. If you use a weak password for your bank website, you risk losing your funds to a brute-force cracking attack. But if you make the password too random, you might forget it and get locked out of the account. You might choose to memorize just one complex password and use it everywhere, but if you do that, a breach at one site exposes all your accounts. Your only reasonable course is to enlist the help of a password manager, and change all your weak and duplicate passwords to unique, random strings of characters.
Almost every password manager includes a password generator component, so you don't have to come up with those random passwords yourself. (But if you want a do-it-yourself solution, we'll show you how to build your own random password generator). However, not all password generators are created equal. When you know how they work, you can choose the one that's best for you, and use the one you have intelligently.
Password Generators—Random or Not?
When you throw a pair of dice, you get a truly random result. Nobody can predict whether you'll get snake eyes, boxcars, or a lucky seven. But in the computer realm, physical randomizers like dice aren't available. Yes, there are a few random number sources based on radioactive decay, but you won't find these in the average consumer-side password manager.
Password managers and other computer programs use what's called a pseudo-random algorithm. This algorithm starts with a number called a seed. The algorithm processes the seed and gets a new number with no traceable connection to the old, and the new number becomes the next seed. The original seed never turns up again until every other number has come up. If the seed was a 32-bit integer, that means the algorithm would run through 4,294,967,295 other numbers before a repeat.
This is fine for everyday use, and fine for most people's password generation needs. However, it's theoretically possible for a skilled hacker to determine the pseudo-random algorithm used. Given that information and the seed, the hacker could conceivably replicate the sequence of random numbers (though it would be difficult).
That sort of directed hacking is extraordinarily unlikely, except in a dedicated nation-state attack, or corporate espionage. If you're the subject of such an attack, your security suite probably can't protect you; fortunately you're almost certainly not the target for this kind of cyberespionage.
Even so, a few password managers actively work to eliminate even the remote possibility of such a focused attack. By incorporating your own mouse movements or random characters into the random algorithm, they obtain a truly random result. Among those that offer this real-world randomization are AceBIT Password Depot, KeePass, and Steganos Password Manager. The screenshot shows Password Depot's matrix-style randomizer; yes, the characters drop as you move your mouse.
Do you really need to add real-world randomization? Probably not. But if it makes you happy, go for it!
Password Managers Reduce Randomness
Of course, password generators don't literally return random numbers. Rather, they return a string of characters, using random numbers to choose from the available character sets. You should always enable use of all available character sets, unless you're generating a password for a website that, say, doesn't allow special characters.
The pool of available characters includes 26 uppercase letters, 26 lowercase letters, and 10 digits. It also includes a collection of special characters that may vary from product to product. For simplicity, let's say there are 18 special characters available. That makes a nice round total of 80 characters to choose from. In a totally random password, there are 80 possibilities for every character. If you choose an eight-character password, the number of possibilities is 80 to the eighth power, or 1,677,721,600,000,000—more than a quadrillion. That's tough slogging for a brute-force cracking attack, and brute-force guessing is really the only way to crack a truly random password.
Of course, a totally random generator will eventually produce "aaaaaaaa" and "Covfefe!" and "12345678," since these are just as likely as any other sequence of eight characters. Some password generators actively filter their output to avoid such passwords. That's fine, but if a hacker knows about those filters, it actually reduces the number of possibilities and makes brute-force cracking easier.
Here's an extreme example. There are 40,960,000 possible four-character passwords, drawing from a collection of 80 characters. But some password generators force selection of at least one from each type of character, and that shaves down the possibilities drastically. There are still 80 possibilities for the first character. Suppose it's an uppercase letter; the pool for the second character is 54 (80 minus the 26 uppercase characters). Further suppose the second character is a lowercase letter. For the third character, only digits and special characters remain, for 28 choices. And if the third character is punctuation, the last must be a digit, 10 choices. Our 40 million possibilities dwindle to 1,209,600.
Using all character sets is a necessity for many websites. To avoid letting that requirement shrink your password pool, set the password length high. When the password is long enough, the effect of forcing all character types becomes negligible.
Other limits that password managers apply reduce the pool of possible passwords unnecessarily. For example, RememBear Premium specifies the precise number of characters from each of the four character set, which drastically reduces the pool. By default, it requires two capital letters, two digits, 14 lowercase letters, and no symbols, for a total of 18 characters. This results in a password pool that's hundreds of millions of times smaller than if it simply required one or more of each character type. Here again, you can offset this problem by setting a higher password length.
LastPass and several others default to avoiding ambiguous character pairs like the digit 0 and the letter O. When you don't have to remember the password, this isn't necessary; turn off this option. Likewise, don't choose the option to generate a pronounceable password like "entlestmospa". That option is only important if it's a password you must remember. Applying this option not only limits you to lowercase characters, it rejects the vast number of possibilities that the password generator deems to be unpronounceable.
Generate Long Passwords
As we've seen, password generators don't necessarily choose from the pool of all possible passwords matching the length and character sets you selected. In the extreme example of a four-character password using all character sets, about 97 percent of possible four-character passwords never appear. The solution is simple; go long! You don't have to remember these passwords, so they can be huge. At least, as huge as the website in question accepts; some do impose limits.
The bigger the search space (what I've been calling the pool of available passwords), the longer it would take a brute force attack to happen upon your password. You can play with the Password Haystack Calculator (as in, needle in a haystack) at the Gibson Research website to get a feel for the value of length.
Just enter a password to see how long cracking it would take. (The site promises "NOTHING you do here ever leaves your browser. What happens here, stays here." But caution suggests you avoid using your actual passwords). A four-character password like 1eA& would take not quite one day to crack, if the hacker has to send guesses online. But in an offline scenario, where the hacker can try guesses at high speed, cracking time is a fraction of a second.
In my article on creating memorable strong passwords (for things like a password manager's master password) I suggest a mnemonic technique that transforms a line from a poem or play into a random-looking password. For example, a line from Romeo and Juliet, Act 2, Scene 2, became "bS,wLtYdWdB?A2S2". This is not a random password, but a cracker doesn't know that. Dropping it into Gibson's calculator we learn that even using a massive cracking array it would take 1.41 hundred million centuries to brute-force this one.
Make an Informed Password Manager Choice
So now you know—the most important factor in generating strong, random passwords is to make them long. Some password generators reject passwords that don't contain all character sets, some reject those with embedded dictionary words, some discard passwords that contain ambiguous character like small l and digit 1. All these restrictions limit the pool of possible passwords, but when the length is high enough, this limitation just doesn't matter.
Of course, it's theoretically (if not practically) possible that some malefactor might hack the password generation scheme of your favorite password manager, and thereby gain the ability to predict the pseudo-random passwords it will offer you. A shady password-manager program could send your random passwords back to company headquarters. This is really in the tinfoil-hat paranoia level of concern. But if you really don't want to rely on someone else for your random passwords, you can create your own random password generator in Excel.