Password generators — how to use them effectively and what settings actually matter

Password generators in password managers are simple enough to use that most users never think about the settings. Click generate, get a password, save it. The settings — character sets, length, exclusions — are visible but largely ignored. For most accounts, the defaults are fine. For some accounts and contexts, understanding what the settings do produces meaningfully better or worse outcomes.

The more interesting question about password generators is not how to use them but when to use them differently. A 20-character random password is the right output for most accounts. It is not the right output for the master password (needs to be memorable). It may not be the right output for accounts with strict length or character restrictions, or for PINs and passcodes that require digits only.

Password generators produce genuinely random credentials. The randomness is cryptographic — not the weak pseudo-randomness of Math.random() but entropy sourced from the operating system's cryptographic random number generator. Understanding this helps explain why generated passwords are categorically more secure than human-chosen ones regardless of how complex the human-chosen password appears.

The assumption 'longer passwords are always better' is true in general and needs qualification in practice. A 30-character random password has approximately 175 bits of entropy from a standard alphanumeric set — substantially more than any site could practically require brute-forcing. But if the site's password field has a maximum length restriction (common in older banking systems), a 30-character password may be silently truncated to 16 characters on save, creating a mismatch between what the vault stores and what the site expects. Match the generator length to the site's known constraints.

A second assumption is that all character sets improve passwords equally. Adding symbols to alphanumeric passwords increases entropy but creates problems on some sites: financial services, legacy corporate systems, and some government sites reject certain special characters in passwords. A password with a $ that gets rejected by the site is less useful than a slightly lower-entropy password that is accepted. Bitwarden and other managers allow excluding problematic characters from the generated set.

A third assumption is that passphrase generators are less secure than character-based generators. This is wrong. A 4-word passphrase from a 7,776-word list has approximately 51 bits of entropy — less than a 20-character random password (119 bits) but more than most human-chosen passwords. A 6-word passphrase has approximately 77 bits — adequate for most accounts. Passphrases are appropriate where memorability is needed (the master password) and where site interfaces accept long strings.

Default settings in most password managers are adequate: 16-20 characters, mixed case, numbers, and symbols. This produces passwords with 95-119 bits of entropy that exceed any practical brute-force threshold. The customisation cases that matter: (1) reduce length if the site has a documented maximum; (2) exclude specific characters if the site rejects them; (3) use passphrase mode for the master password; (4) use digit-only mode for PINs; (5) increase length to 24-30 characters for particularly high-value accounts.

The strength indicator in password managers measures entropy, not character complexity. A generated password like 'k7#mP2xQ' scores identically in entropy to 'XzVnL4@q' despite looking different. Both have the same resistance to brute-force because both were generated with the same method. The visual complexity is irrelevant; the entropy is what matters.

Password rotation using generated passwords: when changing a password, use the generator rather than modifying the existing one. 'Adding a number to the end' or 'changing one character' produces passwords with much lower effective entropy than a fresh generated credential. The manager stores the password regardless of how complex it is; the marginal effort of using the generator rather than modifying manually is zero.

Password generators produce secure random credentials. They do not help with sites that impose unhelpful restrictions — maximum lengths, character exclusions, or minimum complexity requirements that prevent using genuinely random passwords. These restrictions are common in older financial and government systems and require working within the site's constraints.