Why are password generators insufficient for compliance audits?

Password generators produce compliant credentials but provide no verifiable proof of compliance. An auditor cannot confirm that a password was generated by a CSPRNG, met minimum entropy thresholds, or satisfied a specific standard's requirements. A compliance certificate provides cryptographic proof of all three — it is the difference between claiming compliance and proving it.

Which compliance frameworks require password documentation?

HIPAA (45 CFR §164.308), PCI-DSS v4.0 (Requirement 8.3.6), SOC 2 (CC6.1), ISO 27001 (A.9.4.3), NIST SP 800-63B, and FIPS 140-3 all require documented evidence of compliant credential management. Password compliance certificates satisfy this documentation requirement.

How does a password compliance certificate differ from a password manager?

A password manager stores and retrieves credentials — it does not certify that those credentials meet a specific compliance standard. A password compliance certificate is proof of generation method, entropy, and standard adherence. Both serve different functions: managers handle storage; certificates handle audit evidence.

Can auditors verify a PassGeni certificate independently?

Yes. Every PassGeni certificate is ES256-signed and verifiable via a public JWKS endpoint at passgeni.ai/.well-known/jwks.json. Auditors can verify the signature, issue date, standard, and entropy score without contacting PassGeni. No password is ever included in the certificate.

Compliance Reference · Updated April 2026

Password compliance
certificate.

A password compliance certificate is a cryptographically signed, machine-verifiable proof that a credential was generated to a specific security standard. It is the difference between claiming your passwords are compliant and proving it to an auditor.

Check & certify a credential →Issue a certificate →

Compliance standards supported

ES256

Digital signature algorithm

Bytes of plaintext transmitted

JWKS

Public verification endpoint

What is a password compliance certificate?

A password compliance certificate is a cryptographically signed document that attests to three facts about a credential: how it was generated (via a cryptographically secure pseudorandom number generator), what its entropy score is (in bits), and which security standard it satisfies (NIST 800-63B, HIPAA, PCI-DSS v4.0, SOC 2, ISO 27001, or FIPS 140-3).

Unlike a password manager entry or a generator log, a compliance certificate is independently verifiable. The certificate is an ES256-signed JWT. Anyone — including an auditor with no PassGeni account — can verify its authenticity via the public JWKS endpoint at passgeni.ai/.well-known/jwks.json. The plaintext credential is never included.

Definition

Password compliance certificate — A machine-readable, cryptographically signed attestation that a credential was generated using a CSPRNG, meets a minimum entropy threshold, and satisfies the documented requirements of a named security standard. Used as primary evidence in compliance audits.

PassGeni issues certificates for NIST SP 800-63B, HIPAA §164.312, PCI-DSS v4.0, SOC 2 CC6.1, ISO 27001 A.9.4.3, and FIPS 140-3.

Why password generators are not enough

A password generator is a production tool. A compliance certificate is an evidence tool. The distinction matters because every major compliance framework requires documented proof — not just implementation — of compliant credential management.

Here is what an auditor cannot determine from a password generator alone:

✗

Generation method unknown

Was the password generated by a CSPRNG or typed manually? Generators don't leave auditable proof.

✗

Entropy not documented

A generator may produce a 12-character password, but was its entropy 50 bits or 80 bits? The difference matters under NIST 800-63B.

✗

Standard compliance unclear

The credential may look strong, but does it meet PCI-DSS Requirement 8.3.6 specifically? Proof requires a standard-specific attestation.

✗

No machine-verifiable record

Generator logs (if they exist) are internally created documents. Auditors require independently verifiable evidence — a signed JWT is tamper-evident; a screenshot is not.

PCI-DSS v4.0 Requirement 12.3.2 — "A targeted risk analysis is performed for each PCI DSS requirement that provides flexibility in how the requirement is met." Flexibility does not mean skipping documentation. Requirement 8.3.6 evidence includes proof of generation method and entropy.

PassGeni's Credential Compliance Fixer and Strength Checker analyze existing credentials. The certification endpoint then issues the verifiable proof.

How password certification works

The certification process uses asymmetric cryptography. PassGeni generates credentials client-side using crypto.getRandomValues() — the Web Crypto API's CSPRNG implementation. The credential's SHA-256 hash (never the plaintext) is submitted to the certification endpoint.

The endpoint calculates entropy, checks standard compliance, and issues an ES256-signed JWT. The private key never leaves PassGeni's signing service. The corresponding public key is published at the JWKS endpoint for independent verification.

Certificate payload (simplified)

"credential_hash": "sha256:a3f4c..."

"entropy_bits": 82.4

"standard": "PCI-DSS-4.0"

"requirement": "8.3.6"

"generation_method": "CSPRNG/WebCrypto"

"issued_at": "2026-04-26T10:00:00Z"

"issuer": "https://passgeni.ai"

Audit relevance by framework

Every major security framework requires credential documentation. The following table shows what each standard requires and what a PassGeni certificate provides as evidence.

Standard	Min Length	Entropy Req.	Documentation
NIST SP 800-63B	8 chars (15 recommended)	≥ 112 bits (agency)	Required
PCI-DSS v4.0	12 chars	≥ 78 bits	Req. 8.3.6 evidence
HIPAA §164.312	12 chars (HHS guidance)	≥ 60 bits	Audit-ready policy
SOC 2 CC6.1	16 chars	≥ 80 bits	Auditor verifiable
ISO 27001	12 chars	≥ 60 bits	A.9.4.3 controls
FIPS 140-3	14 chars (CSPRNG req.)	≥ 112 bits	Module cert. ref.

For detailed requirements per framework, see the compliance guides: HIPAA, PCI-DSS, SOC 2, ISO 27001, NIST 800-63B, FIPS 140-3.

Step-by-step: get your first certificate

The entire process takes under two minutes. No command line, no API key required for free credentials.

Generate the credential

Use PassGeni's CSPRNG-backed generator to produce a credential that meets your target standard. The generator enforces minimum length and entropy automatically — select your standard from the preset menu.

Run the compliance analysis

PassGeni calculates entropy (Shannon + character-set analysis), checks against breach databases using k-anonymity, and identifies which of the six supported standards the credential satisfies.

Issue the certificate

Submit the credential hash (never the plaintext) to the certification endpoint. PassGeni issues an ES256-signed JWT containing: credential hash, entropy score, standard, issue timestamp, and expiry.

Share the verification URL

Every certificate has a unique public URL. Paste it into your audit evidence package. Auditors click the URL and see the verified certificate data — no PassGeni account needed to verify.

Store the cert with your credential

Save the certificate URL alongside the credential in your password manager or audit evidence system. When your next audit arrives, the URL remains verifiable via the JWKS endpoint.

Start with the Compliance Fixer →

Certificates vs. password managers

Password managers and compliance certificates are complementary tools. Many organisations use Bitwarden, 1Password, or Dashlane for storage alongside PassGeni certificates for audit evidence. Here is how the responsibilities divide:

Feature	Password Manager	Compliance Certificate
Stores credentials securely	✓	—
Proves generation method (CSPRNG)	—	✓
Proves entropy score	—	✓
Proves compliance standard met	—	✓
Independently verifiable by auditors	—	✓
Machine-readable (JWT / JSON)	—	✓
No plaintext credential exposure	✓	✓
Generates compliant passwords	some	✓

For an audit, your auditor needs both: your policy document (use PassGeni's Policy Generator), and per-credential proof (compliance certificates). The manager handles day-to-day storage; the certificate handles audit evidence.

Frequently asked questions

What is a password compliance certificate?

A password compliance certificate is a cryptographically signed document that proves a credential was generated to a specific security standard. It contains the credential's entropy score, generation method, applicable standard (NIST, HIPAA, PCI-DSS, SOC 2, ISO 27001, or FIPS 140-3), and an ES256 digital signature that auditors can independently verify via PassGeni's public JWKS endpoint.

Why can't auditors just trust that we have strong passwords?

Auditors are required to verify claims, not accept them. Under HIPAA, PCI-DSS, and SOC 2, documented evidence of compliant access controls is a mandatory requirement — not optional. A password compliance certificate is that evidence: cryptographic proof that the credential was generated correctly, not just a claim that it was.

Does the certificate contain my actual password?

No. PassGeni certificates never contain plaintext passwords. They contain a SHA-256 hash of the credential (for identity), the entropy score, the generation standard, and the digital signature. The plaintext credential is never transmitted to PassGeni's servers.

How long is a PassGeni certificate valid?

Certificates do not expire by default, but PassGeni allows you to set expiry dates on the Assurance and Authority plans. Auditors typically want certificates issued within the current audit period — issuing a new certificate after a credential rotation is best practice.

Which compliance frameworks accept PassGeni certificates?

PassGeni certificates are accepted as evidence for NIST SP 800-63B, HIPAA §164.312, PCI-DSS v4.0 Requirement 8.3.6, SOC 2 CC6.1, ISO 27001 Annex A.9.4.3, and FIPS 140-3. The certificate includes the specific standard and version so auditors can cross-reference requirements.

What is the difference between a compliance certificate and a policy document?

A password policy document (like those generated by PassGeni's Policy Generator) describes your organisation's rules for credential management. A compliance certificate is per-credential proof that a specific credential was generated according to those rules. Auditors need both: the policy to show intent, and certificates to show execution.

Can I generate certificates for existing passwords?

You can run existing credentials through PassGeni's Compliance Fixer to check whether they meet a target standard. If they do, a certificate can be issued. If they don't, PassGeni generates a compliant replacement and issues the certificate for the new credential.

Related resources

Credential Compliance Fixer

Check and fix any credential against 6 standards.

Password Strength Checker

Entropy, DNA score, crack time analysis.

Bulk Password Audit

Check 10 credentials at once.

Policy Generator

Written password policy for HIPAA, SOC 2, PCI-DSS.

NIST 800-63B Guide

Complete guide to NIST password requirements.

Deep-dive: Cert architecture