How to generate secure passwords and API credentials
API keys from vendors are generated for you. This article covers your secrets: JWT signing keys, session cookies, internal HMAC shared secrets, database passwords for you control.
1. Baseline: openssl (portable)
32 bytes, base64 (common for app secrets):
openssl rand -base64 32
Hex (sometimes required by legacy systems):
openssl rand -hex 32
OpenSSL docs: openssl-rand
2. Readable passwords (humans)
Use a password manager generator with long (20+) passphrases or random strings. Avoid brain-generated “clever” passwords — Bitwarden / 1Password / system suggestions.
3. JWT / session signing secrets
Requirements vary by library — typically high entropy (≥ 256 bits) and unique per environment:
openssl rand -base64 64 > session_secret_dev.txt
chmod 600 session_secret_dev.txt
Never commit the file — store in vault (PassStore) or CI secrets.
4. Database user passwords
Use random strings; length beats “clever symbols”:
openssl rand -base64 24 | tr -d '/+=' | head -c 32; echo
Apply via your DB admin workflow; rotate after leaks — database credentials.
5. What not to use
| Bad idea | Why |
|---|---|
Math.random() in JS for secrets | Not cryptographically secure |
| UUID v4 alone as signing secret | Wrong tool; use CSPRNG |
| Dates / company name | Trivial guessing |
| Copying an example from a blog literally | Everyone has the same “change_me” |
6. Storing what you generated
Put the value in PassStore under a dated note if you rotate often — archive old with suffix _2026-04 — rotation.