How can I choose a secure password?

We were occasionally asked if there's a safe way to generate secure, random passwords for use on our services or anywhere else. This page does that for you — the random passwords below are all generated entirely on your own computer within your web browser, and are safe to use anywhere.

Why don’t these passwords contain special characters or uppercase letters?

Using long passwords like these is just as secure as using passwords with hard-to-type special characters in them, or that have mixed upper and lowercase. There’s no reason to make your passwords harder to type or more confusing when you can just make them longer. This article from ZDNet explains more about this. If you want uppercase letters in your password anyway, you can just capitalize one of the words.

How secure are these passwords?

All three of these passwords are secure enough for any use on our systems. The first contains five random elements from a source of over 900 possible word/number combinations, meaning there are about 600 trillion random passwords that might be generated. Even if someone knows you generated a password using this page, it’s extremely unlikely that they could guess it.

The second password shown is 900 times as secure as the first (with 531 quadrillion possible combinations), and the third is 900 times as secure as the second (with 478 quintillion possible combiantions). You can choose the second or third if you’re more concerned about security than about ease of typing.

For even more security, you can substitute one or more of the words in the password for different words that only you know.

How do I know I can trust you?

That’s a wise question! On the one hand, if you’re one of our customers, you’re already trusting us with your encrypted passwords* — but you don’t want anyone to know the original plaintext password you choose. We don’t want to know that either, but it’s reasonable to ask whether you can check that this page isn’t recording it.

Technically advanced users can examine the source code of this page and the script it uses, and verify that the password is generated entirely on your own computer, and not sent back to us or recorded.

Another option is to use a different well-known site that offers random password generation services, like

* For password geeks: Yep, “encrypted” isn’t really the right word here. In actuality, we store hashed passwords using SHA512 with 5,000 rounds, with 8 bytes of random salt.