Password Generator

What Makes a Strong Password?

A strong password has two key properties: it is long, and it is random. Length is the single most important factor — every additional character multiplies the number of possible passwords exponentially. A 16-character password from a charset of 95 printable ASCII characters has 95¹⁶ ≈ 4 × 10³¹ possible values. Even with hardware capable of a trillion guesses per second, brute-forcing this would take longer than the age of the universe.

Randomness is equally important. “P@ssw0rd” is 8 characters of mixed case with numbers and symbols, but it is not random — it is a predictable substitution pattern that appears in every dictionary attack wordlist. True randomness means each character is selected independently by a cryptographically secure random number generator, with no human-predictable patterns. This tool uses crypto.getRandomValues(), the same random number generator used by the browser for cryptographic operations.

Password Entropy Explained

Entropy measures how unpredictable a password is. It is calculated as log₂(charsetSize^length), which simplifies to length × log₂(charsetSize). Entropy is expressed in bits — each bit doubles the number of possible passwords the attacker must try.

Common benchmarks: 40 bits of entropy (weak) can be cracked in seconds with modern hardware; 60 bits (fair) takes hours to years depending on the attacker's resources; 80 bits (strong) is sufficient for most purposes; 128 bits (very strong) is considered cryptographically secure for the foreseeable future. The strength meter in this tool shows estimated crack time assuming 10 billion guesses per second — the capability of a well-resourced attacker with GPU clusters.

Charset size matters: lowercase only (26 chars) gives 4.7 bits per character; adding uppercase (52 chars) gives 5.7 bits; adding digits (62 chars) gives 5.95 bits; adding symbols (95 chars) gives 6.57 bits per character. Using all character types is the most efficient way to maximize entropy for a given length.

Passwords vs Passphrases

A passphrase is a sequence of random words separated by spaces or another character, such as “correct-horse-battery-staple.” The concept was popularized by the webcomic XKCD and the EFF (Electronic Frontier Foundation), which published a set of wordlists specifically for generating memorable passphrases.

A 4-word passphrase from a 7,776-word list (the EFF large wordlist) has 7,776⁴ ≈ 51 bits of entropy — comparable to a random 8-character password using all character types. A 6-word passphrase reaches 77 bits, equivalent to a random 12-character mixed password. The huge advantage of passphrases is memorability: random words are far easier for humans to remember than random strings of characters.

This tool's passphrase mode generates passphrases from a curated wordlist. For the highest security passphrases, use the EFF large wordlist (7,776 words), which is specifically designed to produce words that are easy to remember, unambiguous, and distinct from one another.

How This Generator Uses Cryptographic Randomness

Not all random number generators are equal. JavaScript's Math.random() is a pseudo-random number generator (PRNG) — it produces numbers that appear random but are generated from a deterministic algorithm seeded with a value. PRNGs are predictable given the seed and should never be used for security purposes.

This tool exclusively uses crypto.getRandomValues(), the Web Crypto API's cryptographically secure random number generator (CSPRNG). The browser's CSPRNG is seeded by true entropy sources from the operating system — hardware events like mouse movement, keyboard timing, and hardware random number generators (HRNG) present in modern CPUs. The output is statistically indistinguishable from true randomness and cannot be predicted even if the attacker knows the algorithm.

All generation happens in your browser — no passwords are sent to any server, logged, or stored. Close the browser tab and the passwords are gone.

Password Manager Recommendations

The best practice is to use a different strong password for every account, which makes a password manager essential. A password manager stores all your passwords encrypted behind a single master password (or passphrase), so you only need to remember one credential.

Reputable options include Bitwarden (open source, free tier available), 1Password (strong security model, subscription), KeePassXC (local-only, open source), and Proton Pass (privacy-focused). Avoid browser-built-in password managers if you use multiple browsers or need cross-platform access.

Use this generator to create a strong unique password for each account, save it in your password manager, and never reuse passwords. If one site is breached, credential stuffing attacks (trying stolen credentials on other sites) cannot compromise your other accounts.

The “Exclude Similar Characters” Option

The characters 0 (zero), O (capital O), I (capital I), l (lowercase L), and 1 (one) look nearly identical in many fonts. When you need to read or type a password manually — for example, entering a WiFi password on a TV — ambiguous characters cause frustrating errors. The “Exclude similar characters” option removes these five characters from the charset. This slightly reduces entropy (by removing 5 characters from the pool) but makes the password significantly easier to read and type. For passwords you will only paste, leave this option off.

Frequently Asked Questions

How long should my password be?

For most accounts: 16 characters minimum using mixed character types (80+ bits of entropy). For high-value accounts (banking, email, password manager master password): 20+ characters or a 6-word passphrase. Longer is always better — password length is your best defense.

Are my generated passwords stored anywhere?

No. All generation happens in your browser using JavaScript. No data is sent to any server. Close the tab and the passwords are gone. You can verify this by disconnecting from the internet and using the tool — it works entirely offline.

Should I use symbols in my password?

Yes, if the site allows them. Symbols increase the charset size, which increases entropy per character. However, some sites restrict which symbols are allowed. If you encounter a site that rejects your password, use the “Don't include these characters” field to exclude the specific symbols it rejects.

What is pronounceable mode?

Pronounceable mode generates passwords by alternating consonants and vowels, creating syllable-like patterns (e.g., “kalitovez”). These are easier to remember and type than fully random strings, at the cost of slightly lower entropy. Good for passwords you need to memorize without a manager. For maximum security, use fully random mode.

How do I check if my password has been breached?

Use the Have I Been Pwned service (haveibeenpwned.com). Their Pwned Passwords feature uses a k-anonymity model — you send only the first 5 characters of the SHA-1 hash of your password, and the service returns matching hashes without ever seeing your full password. The Hash Generator can help you compute the SHA-1 hash of your password for this purpose.

Is a longer password always better than a complex one?

Yes, once you have a sufficient charset. A 20-character lowercase-only password (94 bits of entropy) is much stronger than a 10-character mixed-case password with symbols (65 bits). Length beats complexity at sufficient scale. However, using all character types at the same length is always better than restricting to fewer character types.

What makes a passphrase secure?

Randomness and sufficient word count. The words must be chosen randomly from a large wordlist — not picked by you (humans are bad at random selection). 4 words from a 1000-word list gives 40 bits of entropy; 4 words from a 7776-word list gives 51 bits; 6 words from 7776 gives 77 bits. Longer passphrases are more secure and often still memorable.