What defaults should random password generators use?

Chad Perrin is building his own password-generating tool and is pondering what kind of defaults regarding length and character selection to include. What would your preferences be?

How would you prefer a random password generator to work?

There is something to dislike about every password management application I have found, at least for my purposes. I have made do until now, but I finally decided to write my own password management tool.

One of the things I want to be able to do with my password manager is generate random passwords on the fly, as needed. Of course, the preference would be to create incredibly long, complex passwords, if I am going to handle them via a password manager rather than trying to memorize them all, but different uses for passwords will run into different password policies. All too often, some Web site will restrict the length of the password or the selection of characters I can use quite a bit more than I would like.

As a result, I need the random password generator component to be tweakable as well. That is the easy part. On the other hand, a tool like that might be useful on its own as well. It also might be useful to more people than just me. As a result, I probably will make the password generator component a separate tool and make it available as an open source app. Actually, I plan to do so with the entire password management toolset. It will be simple, and not very special, but it will provide an at least slightly different approach to password management than anything else I have seen, which some might find useful.

Making something with configurable behavior available to the public raises the question of defaults. There are two defaults in particular in which I am interested in this case, at this time. One is generated password length, and the other is the range of special characters to use.

Keep in mind that I am probably going to make the password generator component a combination library and command line tool, so that if it is used separately as a lone tool it will take command line arguments (for instance, -l 15 to specify a fifteen character password length).

Default length

I am considering options for how best to randomize lengths. For that purpose, I think I will provide options for both an explicit password length and a maximum password length. If a maximum is selected, a variable length within a range of lengths close to the specified maximum will be selected.

The question in this case has two parts:

  1. Should the default length be a variable length or an explicit length?
  2. Should the default length be relatively low or relatively high?

I am leaning toward an explicit length of either 10 or 20 characters. Twenty would be far too long for a lot of Websites, which suggests that perhaps ten should be the default instead. On the other hand, twenty would encourage stronger passwords, and when needed, users could reduce the password length via the option to set lengths. Of course, if you have other ideas with good reasons, those would be welcome as well.

Default character selection

On one hand, allowing pretty much every ASCII character would encourage better security in much the same way as using a longer default password length. On the other hand, using only case-sensitive letters and numbers would work almost everywhere. I am personally inclined to allow all characters the program can handle by default, but I am not necessarily wedded to that choice.

Seeking input

What do you think? What do you think would be best to encourage good security practices for end users who may not necessarily be inclined to use defaults if they can avoid it, without scaring them off by making the tool too much work to use? What would you prefer for your own use? I look forward to suggestions and discussion in comments. I do not guarantee to do what you ask, but I do promise to consider it.

Worried about security issues? Who isn't? Delivered each Tuesday, TechRepublic's IT Security newsletter gives you the hands-on advice you need for locking down your systems and making sure they stay that way. Automatically sign up today!


Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

Editor's Picks