Are Random Password Generators Truly Safe? (Our Research Analysis)


The most common phrase on every password generator’s advertising campaign is “…generate a secure random password with…” Is this true, or is it just another marketing ploy? Are password generators safe to use?

Using a password generator is safe for general purposes. The most secure generators are open-source and run on the user’s device instead of within a browser. Adding some characters to a generated password will make it truly random. The strongest passwords combine length and larger character sets.

This article aims to cover the following:

Man handing dice for use as a safe password generator

What is a Password Generator?

password generator is a piece of software that creates a randomized custom password for its users. 

You can think of it as a random sequence generator. Password outputs from the password generator applications are strong and secure. They are composed of upper and lower case letters, numbers, and sometimes special characters such as slashes, asterisks, and braces.

The randomness of the sequence ensures that no two passwords will be the same, so it is really really for hackers to guess.

Reasons that Make Using Password Generators Safe

Password generators are generally safe for creating strong passwords for WiFi and many situations. If you need to create a single secure password or several passwords at a time, then a password generator is definitely worth using.

Password generators provide so many more benefits that make them safe to use. Let’s take a closer look at them:

Password generators can easily create lengthy passwords

What is one characteristic of a strong password? It’s Long. The longer the password is, the more difficult it will be to guess correctly.

Passwords generated by people are generally weak because people place convenience over security. They generally don’t create long passwords because such passwords, even though they are more secure, they are difficult to remember.

On the other hand, online password generator tools overcome this human limitation. They can easily generate very long passwords. They also come with a password manager or vault and an autofill feature, so users don’t have to keep track of the lengthy passwords generated.

The passwords generated do not contain any of your personal information

Another limitation people face when creating passwords is that they use words or passphrases that have some personal meaning. People create familiar passwords, usually consisting of the names of spouses or favorite sports teams.

They do this so that they can easily remember their passwords.

However, this also means that passwords created in this way are easily guessable by someone that knows a little about the individual based on publicly available knowledge. 

With the prevalence of social media, hackers can find words and personal data associated with the user and then use that to guess the password.

This flaw is why many self-created passwords are compromised. 

However, password generators are different. The randomness of the generated password ensures they don’t have any personal meaning associated with you. Therefore, hackers can’t guess them easily using your publicly available information. 

Man throwing dice for random password generating

A password generator can quickly generate multiple passphrases

One of the best practices for passwords is to use a different password for every account you have.

However, creating and managing multiple passwords can take a lot of work, so some people fall prey to the temptation of using the same password for all accounts.

This is a security risk because if a hacker manages to get access to one of your accounts, they will also gain access to all of your other accounts.

Password generators make the process of generating and managing multiple passwords easy. Therefore, these applications are beneficial for people who always need to come up with new passwords to protect access to sensitive programs and manage many different passwords at once.

Password generators follow robust security protocols

Password generators follow strict security protocols to guarantee that the generated passwords are secure and difficult to guess. 

They use sophisticated cryptography-based algorithms that ensure that the generated passwords have letters and digits in nonrepeating patterns.

Recent Research Supports the Security of Password Generators

Are password generators safe? That’s the million-dollar question that we all want answered. After extensive research into academic papers on their security, two top-notch studies conducted by revered cybersecurity experts have yielded impressive discoveries.

According to a research paper by Sean Oesch and Scott Ruoti, two professors from the University of Tennessee specializing in security, “most randomly generated passwords are strong enough to withstand both offline and online attacks.”

Paolo Gentili, a security researcher, and his colleagues confirmed these findings in their paper on Dashline’s security. This popular password generator was deemed “quite secure” after numerous penetration tests; moreover, “no major vulnerabilities were uncovered that could compromise user accounts.”

That’s good news. Hurray!

But…

After Sean Oesch and Scott Ruoti’s comparative analysis of the security of 13 popular password generators and managers, it became evident that not all are secure. For the soundest security measures, extension-based password generators should be used for generating passwords instead of browser-based ones.

Browsers such as Safari and Chrome support password generation. However, Sean Oesch and Scott Ruoti say that “they lack strong configuration options,” and “they don’t have a lockable vault or a master password to protect the generated passwords.”

Additionally, most extension password generators have assessment tools, including Dashlane, LastPass, and 1Password. An assessment tool tells you which passwords in your vault are weak and which accounts have been compromised.

The last thing we learned from Sean Oesch and Scott Ruoti’s excellent research paper is that it matters how long the password is, even if you use a password generator.

When you use a random password generator to create a short password, there is an increased chance for weak and easily crackable ones to be produced – something this proof (below) clearly shows. 

But this problem goes away if you use your password generator to generate a long password.

If your password is ten characters long, it will be safe from online attacks. And if you use a password generator to make an 18-character-long password, it will be safe from both online and offline attacks.

Don’t be afraid to create 10 characters or longer passwords since you don’t need to remember them. Password managers and autofill features will take care of it.

However, if you need a password of fewer than ten characters for some stringent reason, check to see if the generated password is strong. If it is weak, try again until the generated password is satisfactory.

For optimum safety when using a password generator, it’s good to mix up some of the characters and even add or remove some characters before using it. In addition to the generated random password, you also introduce your added randomization, creating an even safer password that is unique.

Smiling geek with keyboard typing random integer numbers for a safe password

List of Password Generators That Are Safe To Use

Okay, we have now answered the question of how secure are password generators and password managers. Here is a list of some of the best password generators that have good security features:

Password GeneratorAutofill Lockable VaultAssessment ToolOpen-source
1PasswordX
Bitwarden
DashlaneX
LastPassX
RoboFormX
KeePass XCX
Man covering face frurstrated at safe password generating

The One Thing that Jeopardizes The Security of Password Generators

The one thing that can make passwords generated by password generators less secure is when people have bad password management practices. Here is a list of 13 tips on how to keep your passwords more secure:

13 Tips on How to Keep Your Passwords Safe and Keep Your Accounts Secure

To prevent your passwords from being accessed by hackers and keep your account as safe as possible, you should follow the following tips:

  1. Avoid using the same password for multiple accounts.
  2. Create passwords that are at least 16 characters in length and contain at least one number, one special symbol, and a combination of upper-and-lowercase characters.
  3. Avoid using names in your passwords.
  4. Avoid using personal things in passwords such as your birthday, house number, ID card number, social security number, or anything else that could be linked back to you personally.
  5. Avoid using any recognizable dictionary words in your passwords.
  6. Avoid using the same or similar passwords over various sites and accounts.
  7. Avoid passwords that are over 10 weeks old for your most sensitive accounts.
  8. Avoid having only one copy of your password vault or list.
  9. Avoid securing a password manager with only a master password. Turn on 2-factor authentication.
  10. Avoid storing your passwords in the cloud.
  11. Protect your computer and other devices with firewall and anti-virus software.
  12. Avoid leaving your computer and phone unlocked whenever you’re not using them.
  13. Avoid giving out your passwords.

By following the tips above, you can keep all of your accounts and logins as safe and secure as possible.

Want more tips? I created this SIMPLE password checklist to make your passwords less hackable.

FAQs

Why should you change your password regularly?

Security experts the world over suggest that online internet users should regularly change their passwords. It can be frustrating and overwhelming to come up with a new, strong, and secure password.

Increasing the frequency of changing your passwords increases the security of each of the accounts that you do it on. It increases safety by reducing the window in which cybercriminals can access your account in cases where your details have been hacked in some way.

By following the tips above, you can keep all of your accounts and logins as safe and secure as possible.

Are password generators truly random?

Throwing a pair of dice produces a genuinely random result – it’s impossible to predict the numbers that you’re going to get. However, in the computing world, a physical randomizer, such as a pair of dice, isn’t available.

Password generators and other sites that produce randomly generated content use something called a pseudo-random algorithm. This algorithm begins using a number, letter, or sequence known as a “seed.” The algorithm processes this seed and gets a new result with no traceable connection to the old one.

The new sequence then becomes the seed. The original seed will not come up again until every other combination has been produced.

For example, if a seed is a 32-bit integer, the algorithm would have to run through 4,294,967,295 other numbers before repeating the original seed.

A password generator, of course, doesn’t return only random numbers. It instead returns a string of characters using random numbers to create passwords from the available character sets. Since a computer can’t generate an entirely randomized set of characters, this is the “most random” way to create a mix of characters in technology.


Final Thoughts

Although an online password generator can never be truly random, someone’s chances of guessing your password or being able to access your password from a password generator are incredibly slim. There are millions of variations of character sequences that can be produced by a password generator.

Overall, it is generally safe to use a password generator for your online accounts. If your password generator’s settings are configured to create lengthy passwords containing letters, numbers, and special characters, rest assured it’s is generally safe for most purposes.

The Techlore YouTube channel has an excellent playlist called InCognito. This video (6m54s@2x) digs deeper into password generation.

Mike Chu

Mike is a web developer and content writer living as a digital nomad. With more than 20 years of devops experience, he brings his "programmer with people skills" approach to help explain technology to the average user. Check out his full author bio by clicking here.

Recent Posts