You probably only have to ask the question twice to get two opposite answers. Are password generators safe? As a security professional, I’ll explain the problems with password generators. Then I’ll tell you why I use them anyway. Most importantly, I’ll tell you how I use them safely.
Before we start talking about password generators, let’s talk about password theory. That helps you understand the appeal of password generators. The whole point of the 8-character password was that for most of the 1990s, it would take a full year to guess the average 8-character password. At the time, most people agreed that was acceptable security.
Always remember: There is no perfect security. There is only acceptable risk.
The problem is that password breaking technology advanced a lot in the last 25-30 years. And yet in some circles that 8-character password is still the standard.
You can have an equivalent level of security today with a 12-character random password. In 1997, you got to pick the characters. Today, a completely random password of 50% greater length is necessary to replicate that 1990s standard.
The other thing, though, is that if you max out the password length, there’s no point in ever changing the password. So if you accept a completely random password of obscene length, there’s no technical reason to change it. Sure, there’s tradition, but that’s not a technical reason.
So we need random passwords. How do we get those, then? Use a password generator.
Are online password generators safe?
Let’s start with the controversial topic first. Are online password generators safe? On the face of it, it seems like they’re the most dangerous thing in the world. You’re trusting someone or something else to generate your password and you have no idea if they’re storing it and what else they’re storing with it.
It’s entirely possible to implement a random password generator that runs in your browser, and never transmits a thing back to the source website. But most people don’t have the skills to vet that. It’s safest to assume they’re storing your password.
I don’t use them a lot, but I occasionally do. Why on earth do I ever use them?
It’s how I use them that matters. I take the password they generate and I change it.
The change doesn’t matter much. Add a few characters in the middle. Change a few characters in the middle. Shuffle a few of the characters around. Something. Contrary to what a certain celebrity said in 2020, having part of a password doesn’t always make it easier to guess it. If it’s nonrandom it does, but in the case of a random password, knowing I changed a few characters in a 16-character password doesn’t help you much. When you don’t know anything about the nature of my change, the number of possible derivatives from that 16-character random password is close enough to limitless to still be OK.
So that’s how you make an online password generator safe. Just randomly change a few characters before you store the password. It’s OK if you picked some of the characters. Just not all.
What about other password generators?
I don’t have to use online password generators very often because there are lots of offline password generators available. Your web browser probably has one. Most password managers have one. And some antivirus suites include one.
Use them. Generated passwords aren’t perfect, but they’re far better than human-created passwords. And all other things being equal, of course I prefer a password generator that’s part of a piece of software I trust over some random website that generates passwords.
And if you’re wondering, the practice of using four random words is still OK. As long as the words are actually random.
Are you saying it’s OK to store passwords?
Of course this brings up another point. Random passwords are hard to remember. That’s the point. I’m telling you to store them. Because then you’ll actually use random passwords. I have absolutely no idea what most of my passwords are, because I’ve never typed them. A machine generated them, and then stored them, and it retrieves it for me when I need it.
A proper password manager is better than storing passwords in your browser. There are problems with storing passwords in your browser, but still, it’s much better than using memorable and insecure passwords. A bonus is that if your password ends up in a breach list, your browser or password manager can warn you, so you can change it, possibly before someone impersonates you.
So, yes, as a security professional, I wish people would generate random passwords and store them. The problems that creates are much smaller than the problem it solves. Especially if you keep your browser and operating system up to date.