1 min readLocal-first workflow

How to Generate a Strong Random Password or API Token

Choose length, character sets, and token formats for passwords, API keys, and local test secrets.

Use enough length

For passwords and tokens, length does most of the work. A longer random string is usually better than a short string with a complicated character mix.

  • Use 16 characters or more for passwords when the site allows it.
  • Use 32 characters or more for API-style tokens.
  • Use a password manager for values you cannot remember.

Pick the format that fits

Use Base64URL-safe strings when the value needs to live in a URL, header, or config file without extra escaping. Use hex when a system specifically expects hex characters.

Do not reuse generated values

A password, API key, reset token, and webhook secret should be different values. If one service leaks, reuse makes the leak travel farther than it needs to.

Open the related tool and keep the workflow local.