Source of feature requirements

Based on these rules, it is evident that most websites in daily life require a combination of letters (uppercase and lowercase letters), numbers, and symbols. And the length of the password should be eight or longer.

4PIN or 6PIN

Some websites only need four digits or six digits. IHG asked for passwords only with 4 digits. IPhone suggests users set up the lock screen passwords with six digits. Therefore, it is also vital for password generators to create passwords like these.

Exclude repeat characters, continuous characters

Some websites are restricted to letters and numbers. ME Bank only allowed using numbers, and there are requirements for the arrangement of numbers, like not having the same number three times in a row or the descending or ascending numbers, etc. BDO users need to avoid using consecutive characters such (ex. abc, DEF, 678). This feature, excluding repeat characters or continuous repeat characters in password generators, helps users have suitable passwords effectively.

Choosing specific symbols freely

Most websites require and accept passwords with special characters, which refer to punctuation characters found on standard US keyboards.

There is a difference in the requirements of special characters among different websites. Some websites like Bank of America require users can only use some special characters like ( @#()+={}/?~;,.-_#* ), while some websites forbid users to use some special characters, like BDO, a website requiring users to avoid characters such as !#$%^&’;”. More examples can be seen here.

Yet, not all the password generators allowed users to choose special characters freely and it brings trouble to users.

(The screenshot is from here)

Therefore it is essential to let users choose symbols freely.

2. Experts suggestions

Besides meeting the requirements, how could we improve the security of the password? To answer this question, we have checked suggestions by several well-known institutions or experts and listed some guidelines below.

(1) 12 or more

Password length should be 12 or more by default, which was suggested here, although many websites require passwords of at least eight characters.

Richard Boyd, a senior researcher at Georgia Tech Research Institute(GTRI), stated that 8-character passwords are no longer sufficient(see details in Teraflop Troubles: The Power of Graphics Processing Units May Threaten the World’s Password Security System ). And it can be quickly cracked if you limit your characters to alphabetic letters. Meanwhile, increasing security experts encourage users to have passwords with 12 characters or more for security. Joshua Davis, a research scientist at GTRI, claimed that any password less than 12 characters long might be vulnerable(see details here). SSH, a European Defensive Cybersecurity trailblazer, suggested that a good password should be 12 to 14 characters long.

Considering the website’s requirements (password length should be eight or more), a password with 12 characters can satisfy the website requirements and strengthen the passwords. Therefore, the password length should be 12 or more for security.

(2) Try to use a combination of mixed letters, numbers, and special characters

– National Institute of Standards and Technology (NIST)

In 2004, The United States Department of Commerce’s National Institute of Standards and Technology (NIST) [2]recommended individuals capitalize irregularly, utilize special characters, and include at least one number. Most systems adhered to this suggestion, which was “baked into” some requirements that companies had to meet. Password generators should be able to generate passwords with letters( a combination of mixed letters), numbers, and special characters. In other words, it allowed users to decide the composition of passwords.

(3) Changing Passwords Regularly

Security experts have different opinions on experts’ advice about changing passwords regularly. EJ Phillips, an advocate of regularly changing passwords, argued in Benefits of Changing Your Password Regularly (proactive-info.com) that changing passwords prevented not only constant access but also bad guys from using the saved password in users’ old or missed digital devices. In contrast, experts like Nick Statt pointed out that frequent modifications pushed users toward lazy, easy-to-predict practices in Best practices for passwords updated after the original author regrets his advice – The Verge. This problem was not caused by the frequent modifications but by the vulnerable password that users change. Some people might add one 1digit or one special character to the formal password for convenience, which might be a potential risk of password leaking. The password we have used for a long time might have been leaked for various reasons. Some bad guys might steal your password via malicious websites(see more in Benefits of Changing Your Password Regularly).

After all, it was dangerous to use the same password forever. It would be helpful if password managers provided services to help users to change passwords regularly. This suggestion was not seen as one of the review features since it was still controversial. To help users looking for this feature, our suggestion: Zero Password manager.

(4) Choosing emojis in passwords

–National Institute of Standards and Technology (NIST)

Meanwhile, NIST in 2020 suggested users should involve Unicode characters like emojis in passwords. Research by Schaub shows that emojis make passwords more entertaining and safe. Including emojis in passwords increases the character set from about 100 to tens of thousands. It is challenging for hackers to crack. However, most password managers do not offer emojis in password generation. Password managers like Nordpass thought it terrible to have emojis since it takes time for different operating systems to represent emojis the same way. Thus cross-platforming will always provide a risk until emojis are standardized. Therefore, using emojis is also not seen as one of our essential features.

(5) Adds password strength measurement

The Open Web Application Security Project®( OWASP ) suggested adding password strength measurement. This feature helped users create complex passwords and block common and previously compromised passwords. It helps remind users to use strong passwords. Therefore it is seen as one of the review features.

3. User needs

Besides generating suitable and secure passwords, providing users with good user experiences is also necessary. It should be easy for users to use password generators.

To achieve this goal, password generators should have a nice design. For example,

• Clear instruction ( so users did not need time to learn how to use it)

Needs of Passphrase

Passphrases were also popular among users. What is a Passphrase? It is a sentence-like string of words that is longer than a traditional password, easy to remember, and difficult to crack.