Users are terrible at creating passwords. Study after study confirms it. "123456" and "password" appear in breach databases millions of times. Even when people try to be clever, they follow predictable patterns—a capital letter at the start, a number at the end, maybe an exclamation point if the form demands special characters.
The solution isn't more password rules. Users just work around them. The solution is generating secure passwords for them—or at least making strong suggestions they can accept with one click.
Why Generated Passwords Matter
When users create their own passwords, they optimize for memorability. That's the opposite of security. A memorable password is, by definition, predictable. It contains words, dates, names, patterns that humans can recall—and that attackers can guess.
Generated passwords optimize for entropy. They contain random combinations that don't exist in dictionaries, don't follow keyboard patterns, and don't relate to personal information. A 16-character randomly generated password with mixed case, numbers, and symbols has roughly 100 bits of entropy. A user-created password of the same length might have 20 bits.
That difference matters. 20 bits of entropy can be brute-forced in seconds. 100 bits would take longer than the age of the universe.
The Password Manager Era
Here's the good news: users increasingly use password managers. This changes the calculus entirely. When a password manager handles storage and autofill, memorability becomes irrelevant. The user never types the password manually. They never need to remember it.
In this environment, generated passwords make perfect sense. The user clicks "generate," the password manager saves it, and authentication happens automatically from then on. The friction that used to make generated passwords impractical has largely disappeared.
Your signup flow should recognize this. Offer password generation prominently. Make it easier to accept a generated password than to create one manually. The path of least resistance should also be the path of greatest security.
Where Password Generation Fits
Not every password field needs generation, but many do. Consider adding it to:
Signup flows. This is the most impactful placement. Users creating accounts are already in decision-making mode. Offering a strong generated password right when they need one catches them at the perfect moment.
Password reset flows. Users often pick weak passwords during reset because they're frustrated and just want access restored. A generated temporary password eliminates that risk.
Admin account creation. When IT staff create accounts for new employees, generated passwords ensure consistent security. No more "Welcome123!" as every new hire's first password.
API key generation. This isn't technically a password, but the same principles apply. API keys should be long, random, and impossible to guess. Users should never create them manually.
Complexity Levels and When to Use Them
Not all passwords need maximum complexity. Different contexts call for different approaches.
Strong complexity includes uppercase, lowercase, numbers, and special characters. Use this for any password that will be stored in a password manager. The user won't type it manually, so keyboard convenience doesn't matter. This is the default for most modern applications.
Medium complexity uses letters and numbers but skips special characters. This works well for temporary passwords that users will type manually—like a password reset code they read from an email while logging in on another device. Fewer characters mean fewer typos.
Simple complexity uses only letters. This might seem weak, but a long simple password can actually be more secure than a short complex one. A 20-character lowercase password has more entropy than an 8-character mixed-case password with symbols. Some legacy systems also can't handle special characters, making simple passwords a necessity.
The key is matching complexity to context. Don't force users to type K#9mPx$2 on a mobile keyboard when correcthorsebattery would be more secure and vastly easier.
Length vs. Complexity
Security experts have debated this for years, and the consensus now favors length. A longer password with less complexity beats a shorter password with more complexity.
The math supports this. Each additional character multiplies the search space. Adding a 17th character to a 16-character password doubles the difficulty of brute-forcing it. Adding special characters to a short password provides diminishing returns by comparison.
Modern guidance suggests 16 characters minimum for passwords that will be stored in password managers, and 12 characters minimum for passwords that might be typed manually. Below 12 characters, even maximum complexity doesn't provide adequate protection against modern cracking hardware.
The User Experience of Generation
How you present password generation matters as much as the generation itself. Users need to trust the process and understand what's happening.
Make it visible. Show the generated password clearly, not hidden behind dots. Users need to see what they're accepting. A masked password field with a "show" toggle works well.
Provide copy functionality. One-click copy to clipboard is essential. Users will paste this password into their password manager. Make that action effortless.
Explain the security. A brief message like "This password would take millions of years to crack" builds confidence. Users who understand why the weird-looking string is better will be more likely to accept it.
Allow regeneration. Some users will want to generate multiple options before choosing. Others might have superstitions about certain characters. Let them regenerate as many times as they want.
Handling Password Generation Failures
What happens when the generation API is unavailable? Your application shouldn't break. Users shouldn't be stuck.
The graceful approach is falling back to client-side generation. Modern browsers provide crypto.getRandomValues(), which produces cryptographically secure random numbers. While a client-side fallback might not offer all the same features as an API (like complexity levels or avoiding ambiguous characters), it can produce a strong password in a pinch.
Never let an API failure prevent users from completing signup. Password generation is an enhancement, not a gate.
Storing and Transmitting Generated Passwords
Generated passwords require the same security precautions as user-created ones. Hash before storing. Transmit over HTTPS. Never log in plaintext.
The one difference: temporary passwords for reset flows need special handling. These should expire quickly—24 hours maximum, ideally much sooner. They should also force a password change on first use. A temporary password that becomes permanent defeats the purpose.
Measuring Success
How do you know if password generation is working? Track adoption and security outcomes.
Generation rate. What percentage of new signups use generated passwords versus creating their own? This tells you whether your UX is compelling enough.
Reset frequency. Users with generated passwords should reset less often. If they're resetting more, something's wrong with your generation or storage flow.
Breach exposure. When credentials appear in breach databases, how many of your users are affected? Generated passwords should appear far less frequently than user-created ones.
These metrics help you tune the experience over time.
Integration Example
Here's a minimal example of generating a password via API:
const response = await fetch(
'https://api.apiverve.com/v1/passwordgenerator?count=1&length=16&complexity=strong',
{ headers: { 'x-api-key': 'YOUR_API_KEY' } }
);
const { data } = await response.json();
const password = data.passwords[0].password;
// "K#9mPx$2vLnR@4wQ"
Present this to the user with a copy button, let them accept it, and your signup security improves immediately.
Generate secure passwords with the Password Generator API. Verify password strength with the Password Strength API. Build authentication flows that protect your users by default.
Originally published at APIVerve Blog
Top comments (0)