One problem with that password generator - you only allow 17 total characters (0-9, A-F, hypen) which makes hacking it much simpler than if you allowed 63 or more characters (A-Z, a-z, 0-9, hyphen). Just as a simple example, a brute force attack on a 4-character password with only 17 allowable characters would take (at maximum), 83,521 attempts. A brute force attack on a 4-character password with 63 allowable characters requires a maximum of 15,752,961 attempts. Bute forcing a 4-character password that uses all standard keyboard-accessible printable characters (95 total) requires 81,450,625 max. attempts.
Here's a simple password generator that takes your idea of using NEWID(), but generates significantly stronger passwords with any printable/keyboard accessible characters from SPACE (0x20) to tilde (0x7e). This may have to be modified to eliminate certain characters if you want or need to exclude them:
/*
-- Requires a numbers table like this
SELECT TOP 500 Num = IDENTITY(INT, 1, 1)
INTO dbo.Numbers
FROM syscolumns s1
CROSS JOIN syscolumns s2
ALTER TABLE dbo.Numbers
ADD CONSTRAINT PK_Numbers
PRIMARY KEY (Num)
*/
-- Set this to the max length for the password to generate
DECLARE @pwd_length INT
SELECT @pwd_length = 255
-- Initialize variables, varbinary work password and varchar final pwd
DECLARE @work_pwd VARBINARY(256)
SET @work_pwd = CAST('' AS VARBINARY(256))
DECLARE @pwd VARCHAR(256)
SET @pwd = ''
-- Use NEWID() to generate somewhat "random" string of bytes
WHILE (DATALENGTH(@work_pwd) < @pwd_length)
SET @work_pwd = @work_pwd + CAST(NEWID() AS VARBINARY(16))
-- Limit it to the length defined by @pwd_length
SET @work_pwd = SUBSTRING(@work_pwd, 1, @pwd_length)
-- Put it in a table
CREATE TABLE #PwdChars (Num INT PRIMARY KEY NOT NULL, i INT,
PwdChar INT)
-- We need to account for non-printable and special characters here. We only want
-- keyboard accessible characters; basically SPACE (0x20) to tilde (0x7e).
INSERT INTO #PwdChars (Num, i, PwdChar)
SELECT n.Num, CAST(SUBSTRING(@work_pwd, n.Num, 1) AS INT),
CASE
WHEN CAST(SUBSTRING(@work_pwd, n.Num, 1) AS INT) < 32
THEN CAST(SUBSTRING(@work_pwd, n.Num, 1) AS INT) + 32
WHEN CAST(SUBSTRING(@work_pwd, n.Num, 1) AS INT) > 254
THEN 126
WHEN CAST(SUBSTRING(@work_pwd, n.Num, 1) AS INT) > 126
THEN CAST(SUBSTRING(@work_pwd, n.Num, 1) AS INT) / 2
ELSE CAST(SUBSTRING(@work_pwd, n.Num, 1) AS INT) END
FROM dbo.Numbers n
WHERE n.Num > 0 AND n.Num <= DATALENGTH(@work_pwd)
-- Now loop through and build the character password
WHILE @pwd_length > 0
BEGIN
SET @pwd = @pwd + CHAR(
(SELECT PwdChar
FROM #PwdChars
WHERE Num = @pwd_length))
SET @pwd_length = @pwd_length - 1
END
-- Clean up
DROP TABLE #PwdChars
-- Display it
SELECT @pwd