This secure random password generator creates strong random plain text passwords using the PCG32 random number generator without sending them over the internet or storing them on a server.
I developed this password generator because I don't trust the security and randomness of passwords generated by other password generators; plus, I like a challenge. I also wanted to test out my implementation of the PCG32 pseudo-random number generator with an environment-based seed. By generating multiple passwords using this secure password generator, saving them to my local computer then mixing them I can confidently trust in the uniqueness of my passwords. The number of password breaches each year is staggering. By using a unique, random password for every account I can rest assured that even if one system is hacked all of my other accounts' passwords are safe.
Pro Tips for Users
Always use unique passwords for every account you have.
Never reuse the same password twice.
Always ensure passwords are at a minimum twelve characters long. The longer the better.
Never use dictionary words, birthdays, names or any other personally identifiable information in your password.
Always ensure passwords contain a mixture of uppercase letters, lowercase letters, numbers, punctuation and
Never use an easily guessed password such as P@ssw0rd, $ecr3t or AbC!23.
Never use similar passwords with one or two characters changed.
Never share your password over text, messenger, slack or unencrypted email.
Never write your password on a sticky note and leave it visible to others.
If you're setting a password that must be memorized try using the first few letters of each word in a phrase.
Never log in to an important account via public WiFi or on an untrusted device (e.g. friend's computer or mobile
Always make sure the site you are logging in to is encrypted with a secure certificate.
Change your passwords every three months, or in the event of a security breach, change your password immediately.
Pro Tips for Developers
Never store users' passwords, security questions and answers as plain text. Ever. I will find you if you do this, and I will say very unkind things to you.
Always salt and hash passwords with unique, non-deterministic salt per user.
Always log invalid login attempts and alert users of suspicious activity.
Always lock accounts after several incorrect login attempts.
Always use TLS with a valid, up-to-date certificate. Personally, I like certbot.
Remember: the internet is a scary place filled with viruses, bugs, hackers, bots and the darkweb; let's not make it worse by building shitty password management systems.
Finally, if any of this is confusing, ask questions. Go find a more senior developer and ask them how they would do it.