Probably. It's random, it could come out as password1!

Or more accurately, Yes, they're secure. They're not truly pseudorandom (Or at least, any good generator, like you'd find in a proper password management application), but follow rules designed to create passwords that aren't random, but very hard to guess.

Password cracking is a known, predictable thing, and you can use that to create passwords that are effective at resisting it. Not dictionary words, long, with symbols, both cases of letters, numbers, so on. Generating a password that would take a modern machine a few million years to crack is not a difficult challenge - because while the people writing the crackers know how the generator works, the people writing the generator know how the crackers work too.

As for lastpass, as far as I know your password container is encrypted and decrypted locally, so very, very little chance of that ever being compromised. Unfortunately, you cannot use lastpass to protect your lastpass container, so you'll have to rely on your own password generating skills to remember that one!


I'm the author of the random password generating site http://passwordcreator.org. Here is what I learned in the process of creating that site about creating secure random passwords:

Random Source

Most random number generators on computers are psuedorandom. They are based on algorithms and not appropriate for generating passwords. They are generally seeded with the current time. If that one piece of information is known (or can be guessed), it is possible to reproduce their output and see the passwords that would have been generated.

To generate a password, a cryptographically secure pseudo-random number generator (CPRNG) should be used. From Wikipedia, the two requirements of this type of random number generator are:

  • given the first k bits of a random sequence, there is no polynomial-time algorithm that can predict the (k+1)th bit with probability of success better than 50%.
  • In the event that part or all of its state has been revealed (or guessed correctly), it should be impossible to reconstruct the stream of random numbers prior to the revelation. Additionally, if there is an entropy input while running, it should be infeasible to use knowledge of the input's state to predict future conditions of the CSPRNG state.

Modern web browsers (with the notable exception of Internet Explorer) now have a crypto API available to JavaScript that has a cryptographically secure random number generator. This makes it easy for websites like mine to generate passwords that are unique and not guessable based on knowing when and where they were generated.

Password Length

A common attack against passwords is for the attacker to gain access to the database where the encrypted (hashed) passwords are stored. The attacker can then generate guesses, hash the guesses using the same hashing algorithm, and see if they get any matches. Here is an article that show just how many passwords are vulnerable to such an attack. Computers are now powerful enough that attackers are known to try 100 billion passwords per second. Secret military and spy agency computers may be able to do orders of magnitude more.

From a practical standpoint, that means that a password needs to be chosen from a pool of quintillions of possibilities. The 96 characters that can be typed on a keyboard can only generate quadrillions of possibilities using an eight character password. To be secure, passwords must be longer today than their ever have in the past. Computers will become more powerful in the future and you may want to choose passwords that are even longer than what you might need to feel secure today so that they cannot be cracked easily in the future either. I'd recommend at least a length of 10 for random passwords based on 96 possible characters, but using a length of 12 or 14 would be much better for future security.