Guide 2: Passwords, Tokens, and Secure Randomness
A beginner-friendly practical guide for learning how strong passwords, passphrases, random tokens, UUIDs, API keys, and TOTP secrets support authentication and security.
In this guide, you will practise generating strong passwords, passphrases, secure random tokens, UUIDs, API keys, and TOTP secrets. You will also learn why secrets must be protected and how redaction tools can reduce accidental exposure.
Completion status
Overview
Learn how strong secrets support authentication
Passwords and tokens are used to control access to accounts, systems, and services. Weak or exposed secrets can lead to account takeover, data breaches, and unauthorised access. This guide introduces safe beginner-level practices for generating, recognising, and protecting secrets.
Explain why strong passwords should be long, random, and hard to guess.
Compare passwords and passphrases.
Generate secure random values using browser-based tools.
Understand the purpose of API keys and random tokens.
Explain what UUIDs are commonly used for.
Understand what a TOTP secret is used for in two-factor authentication.
Recognise why secrets should not be pasted into logs, screenshots, emails, or public repositories.
Use masking or redaction tools to remove sensitive values from text.
Important safety note
Use only fake or generated example secrets
Do not paste your real passwords, API keys, private keys, university credentials, work credentials, recovery codes, or real authentication secrets into this guide. Use only generated examples or fake sample values.
How to use this guide
Generate examples safely and think about exposure risk
- Read each task carefully.
- Open the linked MuhammadLab tool when instructed.
- Generate example values only.
- Copy safe example outputs into the answer boxes.
- Do not use real credentials.
- Save your answers locally.
- Complete the quiz.
- Mark the guide as complete when finished.
Tools used in this guide
Open the existing MuhammadLab tools as you work
Task 1
Generate a strong password
Use the Password Generator tool to create a long random password with mixed character types.
Password settings
Generate a password with at least 16 characters, uppercase letters, lowercase letters, numbers, and symbols.
Tool to use
Expected student action
Generate a safe example password and paste it into the answer box.
Reflection question
Why is a long random password usually stronger than a short password with a common word?
Optional hint
Length and randomness make passwords harder to guess or brute-force.
Task 2
Generate a passphrase
Use the Passphrase Generator tool to create a word-based passphrase that is long and memorable.
Passphrase task
Generate a word-based passphrase using the passphrase tool.
Tool to use
Expected student action
Generate a safe example passphrase and paste it into the answer box.
Reflection question
Why might a passphrase be easier for a human to remember than a random password?
Optional hint
A passphrase uses multiple words, which can be memorable while still being long.
Task 3
Compare password and passphrase
Compare the outputs from Task 1 and Task 2 and think about usability versus security.
Compare your two examples
Which one is easier to remember? Which one looks harder to guess? Which one would you prefer for a real account, and why?
Expected student action
Write a short comparison of the password and passphrase.
Reflection question
What is the trade-off between usability and security?
Optional hint
A password can be very random but hard to remember. A passphrase can be easier to remember but should still be long and unpredictable.
Task 4
Generate a secure random token
Use the Secure Random Generator to create strong random values in different formats.
Random token task
Generate 32 random bytes. Record the hex output and the Base64 output if available.
Tool to use
Expected student action
Paste the generated token output into the answer box.
Reflection question
Where might random tokens be used in real systems?
Optional hint
Random tokens may be used for sessions, password reset links, nonces, temporary secrets, and secure identifiers.
Task 5
Generate an API key or token
Use the API Key / Token Generator to create a fake example key and think about why it must stay secret.
API key task
Generate a fake example API key or token.
Tool to use
Expected student action
Paste the generated example API key into the answer box.
Reflection question
Why should API keys be kept secret?
Optional hint
API keys may allow access to services, data, billing, or automated actions.
Task 6
Generate a UUID v4
Use the UUID v4 Generator to create three unique identifiers and consider what they are normally used for.
UUID task
Generate three UUID v4 values.
Tool to use
Expected student action
Paste the three UUIDs into the answer box.
Reflection question
What are UUIDs useful for?
Optional hint
UUIDs are commonly used as unique identifiers for records, files, sessions, events, and database entries. They are usually not passwords.
Task 7
Understand TOTP secrets
Use the TOTP Secret Generator to create a fake example secret and setup URI, then reflect on why it must be protected.
TOTP task
Generate a fake example TOTP secret and otpauth URI. Paste only the fake or shortened secret into the answer box.
Tool to use
Expected student action
Paste only the fake example secret, or a shortened version of it, into the answer box.
Reflection question
Why should a TOTP secret be protected carefully?
Optional hint
A TOTP secret is used to generate time-based one-time codes. If someone steals the secret, they may be able to generate the same codes.
Task 8
Redact secrets from a sample log
Use a redaction tool to clean a fake log that contains sensitive values.
Fake log sample
User login successful email: student@example.com api_key: sk_test_1234567890abcdef token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.fake.payload password: MyFakePassword123! session_id: abcdef1234567890
Tool to use
Expected student action
Paste the redacted output into the answer box.
Reflection question
Why is it dangerous to store secrets in logs?
Optional hint
Logs are often copied, shared, stored, indexed, or uploaded to debugging systems. Secrets in logs can be accidentally exposed.
Extension
Optional: inspect the JWT-like token structure
If the redacted sample contains a JWT-like token, use the JWT Decoder to inspect its structure and explain why decoding a token is not the same as having permission to use it.
Mini summary
What this guide helped you practise
Common mistakes
Watch for these beginner traps
Mistake 1: Thinking a short password is safe because it has one symbol.
Mistake 2: Reusing the same password across many accounts.
Mistake 3: Treating UUIDs as passwords.
Mistake 4: Posting API keys or tokens in screenshots, logs, GitHub repositories, or support chats.
Mistake 5: Sharing TOTP setup secrets.
Mistake 6: Confusing encoding or decoding with authorisation.
Knowledge check
Quick quiz with immediate feedback
Answer the questions below to check your understanding of passwords, tokens, randomness, UUIDs, and secret handling.
1. Which password is usually stronger?
2. Why can passphrases be useful?
3. What is a secure random token commonly used for?
4. Which statement about UUIDs is correct?
5. Why should API keys be protected?
6. Why is it dangerous to include secrets in logs?
Privacy note
Your answers stay local to this browser
This guide is designed for browser-based learning. Your answers and completion status are saved locally in your browser using localStorage. Do not enter real passwords, real API keys, real TOTP secrets, or real credentials.
Completion
Finish the lab and save your progress locally
Next
Guide 3: Web Security Headers and Cookies
This next guided lab moves into browser security controls, cookies, session handling, and safe header inspection.