K
Konvertio.
Encoders & Decoders
Formatters & Linters
Generators
Converters
Text Tools
Blog
K
Konvertio.

Free developer tools — encoders, formatters, generators & more. No signup, no data processing on our servers.

Encoders

Base64 EncoderJWT DecoderAES EncryptHMAC GeneratorHash Generator

Formatters

JSON FormatterSQL FormatterXML FormatterCSS FormatterJSONPath Tester

Generators

Password GeneratorQR CodeToken GeneratorUUID GeneratorOTP Generator

Converters

JSON ↔ YAMLJSON → TypeScriptHTML → JSXDocker → ComposeSQL → MongoDB

Text Tools

Word CounterHTTP Status CodesPassword StrengthMath EvaluatorMIME Lookup

© 2026 Konvertio. All tools are free to use.

PrivacyAboutTermsBlog
HomeBlogGenerate Secure Passwords Programmatically: Best Practices
April 7, 2026 2 min readUpdated Apr 9, 2026

Generate Secure Passwords Programmatically: Best Practices

passwordssecuritycryptographyjavascriptpython

image

What Makes a Password Secure?

Password security comes down to entropy — the amount of unpredictability. Entropy depends on the character set size and the length:

Entropy = length × log2(character_set_size)

A 16-character password using mixed case, digits, and symbols reaches over 100 bits — effectively uncrackable with current hardware. Target at least 80 bits for general use.

The Critical Rule: Use a CSPRNG

Never use Math.random() or Python's random module for security-sensitive values. These are pseudo-random number generators designed for simulation — not security. Their output is predictable.

Always use a cryptographically secure PRNG (CSPRNG):

  • Browser/Node.js: crypto.getRandomValues() or crypto.randomBytes()
  • Python: secrets module
  • Go: crypto/rand
  • Java: SecureRandom

Generating a Secure Password in JavaScript

function generatePassword(length = 16, useSymbols = true) {
  const charset = [
    'abcdefghijklmnopqrstuvwxyz',
    'ABCDEFGHIJKLMNOPQRSTUVWXYZ',
    '0123456789',
    useSymbols ? '!@#$%^&*()-_=+[]{}|;:,.<>?' : '',
  ].join('');

  const array = new Uint32Array(length);
  crypto.getRandomValues(array);
  return Array.from(array).map((n) => charset[n % charset.length]).join('');
}

console.log(generatePassword(20, true));

Generating a Secure Password in Python

import secrets
import string

def generate_password(length=16, use_symbols=True):
    alphabet = string.ascii_letters + string.digits
    if use_symbols:
        alphabet += '!@#$%^&*()-_=+[]{}|;:,.<>?'
    return ''.join(secrets.choice(alphabet) for _ in range(length))

print(generate_password(20))

Passphrases: Memorable and Secure

Five random words from a 7776-word diceware list gives ~64 bits of entropy. Six words gives ~77 bits — memorable and secure.

Common Mistakes to Avoid

  • Using timestamps or UUIDs as passwords
  • Hashing a weak seed (sha256(Math.random()) is still predictable)
  • Storing passwords in plain text — always hash with bcrypt or Argon2id
  • Using l33tsp34k substitutions — does not add meaningful entropy

Try It Instantly

Use the free Password Generator on konvertio.app — generates cryptographically secure passwords of any length, fully client-side so your password never leaves your browser.

Back to all posts
Share
Twitter / X LinkedIn Facebook
Tags
passwordssecuritycryptographyjavascriptpython
Resources
All ToolsJSON FormatterBase64 EncoderJWT DecoderUUID GeneratorAll Posts
Follow
Twitter / X LinkedIn RSS Feed Newsletter