Password generator
Generate strong, cryptographically random passwords of any length and character set. Choose length from 8 to 128 characters and copy with one click.
Why use a password generator?
Humans are terrible at creating random passwords. We default to dictionary words, predictable patterns (Password1!), and personal information that attackers can guess. A random password generator eliminates these biases by using cryptographically secure randomness to produce passwords that are genuinely unpredictable.
How long should my password be?
At minimum 12 characters for important accounts, 16+ for high-security use (banking, email, password managers). With all character types enabled, each additional character multiplies the number of possible combinations by ~95. A 16-character password with all types has 95^16 ≈ 4.4 × 10^31 possible combinations — effectively uncrackable by brute force.
Password strength explained
Entropy measures randomness in bits. Higher means stronger. A 16-character password with all character types has about 105 bits of entropy. The strength meter shows Strong at 80+ bits, Fair between 40 and 79, and Weak below 40. Time-to-crack assumes a fast attacker making 10 billion guesses per second.
"Password length has been found to be a primary factor in characterizing password strength."
"The use of stolen credentials led the pack as the initial action in 24% of breaches."
Password Strength by Length and Character Set
Password strength scales exponentially with length. Adding character types helps, but adding more characters matters more.
| Configuration | Character Pool | Combinations | Offline crack time GPU at 10B/sec | Rating |
|---|---|---|---|---|
| 8 chars, lowercase only | 26 | 208 billion | Seconds | Weak |
| 8 chars, lower + upper + digits | 62 | 218 trillion | Minutes | Fair |
| 8 chars, all printable | 95 | 6.6 quadrillion | Hours | Moderate |
| 12 chars, all printable | 95 | 5.4 × 10²³ | Centuries | Strong |
| 16 chars, all printable | 95 | 4.4 × 10³¹ | Astronomical | Very Strong |
| 20 chars, all printable | 95 | 3.6 × 10³⁹ | Effectively uncrackable | Excellent |
Crack times assume 10 billion guesses/second (modern GPU attack). Online attacks are orders of magnitude slower due to rate limiting.
Common Uses
- Account registration: Generate a strong, unique password for every new account signup to eliminate reuse — the leading cause of credential-stuffing attacks.
- Password manager seeding: Generate random passwords here and store them in a password manager (Bitwarden, 1Password) — you never need to remember them.
- API key and secret generation: Create high-entropy random strings for application API keys, webhook secrets, and JWT signing keys.
- Wi-Fi password setup: Generate a strong, memorable-enough passphrase for home or office Wi-Fi that balances security with usability.
- Temporary access credentials: Generate disposable passwords for one-time vendor or contractor access that will be revoked after the task is complete.
- Teaching password security: Show the difference in crack time between weak and strong passwords by generating examples of each and comparing entropy.
- Passphrase generation: Generate a multi-word passphrase (if the tool supports it) for systems that allow longer but easier-to-type passwords.
FAQ
Is my generated password stored anywhere?
No. Every password is generated entirely in your browser using the Web Crypto API. Nothing is sent to any server. Close the tab and the password exists only where you copied it.
Should I use a different password for every site?
Yes, always. This generator creates the passwords — you need a password manager (Bitwarden, 1Password, KeePass, or your browser's built-in manager) to remember them. A unique strong password per account is the single most effective security practice for individuals.
What are ambiguous characters?
Characters that look identical in some fonts: 0 (zero) vs O (letter), 1 (one) vs l (lowercase L) vs I (uppercase i). Excluding them prevents mistakes when someone has to type the password by hand from a screenshot or printout.
Does the password generator store or log my passwords?
No. Passwords are generated client-side using the Web Crypto API. Nothing is sent to a server or logged. Each password exists only in your browser tab until you navigate away.
How long should my password be?
Security experts recommend at least 16 characters for most accounts, and 20+ for sensitive accounts like email and banking. This generator defaults to a strong length — increase it further for maximum security.
By the Numbers
- “123456” was the most common password globally for the 5th consecutive year (NordPass Password Report, 2024)
- 81% of data breaches involve weak, stolen, or reused passwords (Verizon Data Breach Investigations Report 2023)
- A random 12-character password mixing letters, numbers, and symbols takes approximately 62 trillion years to brute-force
- NIST SP 800-63B recommends minimum 8 characters, no mandatory complexity rules, and checking against breached password lists