I felt inspired after reading Jeff Atwood's post "Password Rules Are Bullshit". The concept is fairly simple: use Unicode characters (including emojis) in passwords. If you're using HMAC + bcrypt (and you should be) everything should work perfectly fine.

Sadly, a very large number of websites do not support Unicode characters in passwords, have low max character counts or have crazy password rules. This is horrible and needs to be fixed; however, instead of berating these companies publicly I would rather learn more about what's broken and actually try to fix the problem. It doesn't hurt for me to send an email and follow up every few days. If you know of a company that needs to be bothered, hit me up on twitter @sethblackatx and I'd be more than happy to bug them. :)

Now for the fun stuff: I put the generator above on github. It generates a 26-glyph password using multiple unicode blocks and the Fortuna PRNG.

Both Fortuna and the unicode secure password generator can be found on GitHub and as NPM packages:

https://github.com/sethblack/javascript-strong-password-generator

https://www.npmjs.com/package/javascript-strong-password-generator

https://github.com/sethblack/javascript-fortuna

https://www.npmjs.com/package/javascript-fortuna

Also check out the Random Passphrase Generator and Random Password Generator

-Sethers

Jason Blackeye