How to Generate a Strong Random Password or API Token
Choose length, character sets, and token formats for passwords, API keys, and local test secrets.
Use enough length
For passwords and tokens, length does most of the work. A longer random string is usually better than a short string with a complicated character mix.
- Use 16 characters or more for passwords when the site allows it.
- Use 32 characters or more for API-style tokens.
- Use a password manager for values you cannot remember.
Pick the format that fits
Use Base64URL-safe strings when the value needs to live in a URL, header, or config file without extra escaping. Use hex when a system specifically expects hex characters.
Do not reuse generated values
A password, API key, reset token, and webhook secret should be different values. If one service leaks, reuse makes the leak travel farther than it needs to.
Open the related tool and keep the workflow local.