Password Generator — Create Strong Random Passwords
Generate strong, secure random passwords and passphrases with cryptographic randomness. Customize length, character sets, and complexity. Analyze password strength with entropy calculation and crack time estimation.
Password Generator
Generate secure random passwords and passphrases
0, O, 1, l, I
Frequently Asked Questions
How does this password generator create secure passwords?
This password generator uses the Web Crypto API (crypto.getRandomValues()) to produce cryptographically secure random numbers. Unlike Math.random(), which is predictable, the Web Crypto API draws from the operating system's entropy source, ensuring each character in the generated password is truly unpredictable and suitable for security-critical applications.
What is password entropy and why does it matter?
Password entropy measures the unpredictability of a password in bits. It is calculated as Length × log₂(Pool Size), where Pool Size is the number of possible characters. Higher entropy means more possible combinations, making the password harder to crack. For example, a 16-character password using all character types (95 possible characters) has about 105 bits of entropy, which would take billions of years to brute-force at 10 billion guesses per second.
How long should my password be?
For most online accounts, a minimum of 12 characters is recommended, but 16 or more characters provides significantly better security. For high-security applications like encryption keys or master passwords, use 20+ characters or a 5+ word passphrase. Each additional character exponentially increases the number of possible combinations.
Is a passphrase more secure than a random password?
It depends on the length and word count. A 4-word passphrase from a 200-word list provides about 31 bits of entropy, while a 16-character random password with all character types provides about 105 bits. However, passphrases are much easier to memorize and type. For comparable security, use 6+ words in your passphrase. Passphrases are ideal for master passwords you need to type manually.
What are ambiguous characters and why exclude them?
Ambiguous characters are those that look similar in many fonts: 0 (zero) and O (capital O), 1 (one) and l (lowercase L) and I (capital I). Excluding them prevents confusion when reading or manually entering passwords, which is useful for passwords that need to be typed or read aloud. For passwords stored in a password manager, this exclusion is not necessary.
Should I use special characters (symbols) in my password?
Including symbols like !@#$%^&* increases the character pool from 62 (letters + digits) to 95 or more, significantly boosting entropy per character. However, some systems restrict which special characters are allowed. If you encounter restrictions, use this generator's custom exclude feature to remove disallowed characters while keeping the password as strong as possible.
How often should I change my passwords?
Current security guidance from NIST (National Institute of Standards and Technology) recommends against mandatory periodic password changes unless there is evidence of a breach. Frequent forced changes often lead to weaker passwords. Instead, use a strong, unique password for each account, enable two-factor authentication, and change passwords immediately if you suspect a compromise.
Can this password generator be trusted? Is it safe?
Yes. This password generator runs entirely in your web browser — no passwords are ever sent to a server or stored anywhere. The generation uses the Web Crypto API for cryptographic randomness. You can verify this by checking the page source or using your browser's network tab to confirm no data is transmitted during password generation.
What is the best way to store generated passwords?
Use a reputable password manager such as 1Password, Bitwarden, KeePass, or Dashlane. Password managers encrypt your passwords with a master password and can auto-fill login forms. Never store passwords in plain text files, browser saved passwords without a master password, sticky notes, or email drafts. For your password manager's master password, use a strong passphrase you can memorize.
How is crack time estimated?
The crack time estimate assumes an attacker performing a brute-force attack at 10 billion guesses per second, which represents a powerful GPU cluster. The calculation divides the total number of possible passwords (2^entropy) by the guess rate. Real-world crack times may vary: offline attacks against weak hashes can be faster, while attacks against properly salted bcrypt or Argon2 hashes would be significantly slower.
About Password Generator
The Password Generator is a free online tool that creates strong, secure random passwords and passphrases using cryptographically secure randomness. Unlike passwords created by humans, which tend to follow predictable patterns, this Password Generator uses the Web Crypto API (crypto.getRandomValues()) to ensure every character is truly random. You can customize length, character sets, and exclusion rules to match any password policy or personal preference.
How to Create a Strong Password
A strong password is your first line of defense against unauthorized access. Follow these tips when creating passwords with the Password Generator:
- Use at least 16 characters — longer passwords are exponentially harder to crack
- Include all character types: uppercase letters, lowercase letters, numbers, and symbols
- Avoid dictionary words, names, dates, or keyboard patterns (e.g., "qwerty", "123456")
- Use a unique password for every account — never reuse passwords across services
- Consider using a passphrase (4+ random words) for passwords you need to type manually
- Store generated passwords in a reputable password manager rather than memorizing them
- Enable two-factor authentication (2FA) wherever possible for added security
Password Entropy Explained
Entropy measures the randomness or unpredictability of a password, expressed in bits. The Password Generator calculates entropy using the formula:
Entropy = Length × log₂(Pool Size)
Where Pool Size is the number of possible characters. For example, a 16-character password using uppercase (26) + lowercase (26) + digits (10) + symbols (33) = 95 possible characters has:
16 × log₂(95) ≈ 105 bits of entropy
Higher entropy means more possible combinations and longer crack times. As a general guideline:
| Entropy (bits) | Strength | Use Case |
|---|---|---|
| < 28 | Very Weak | Not recommended for any use |
| 28 – 35 | Weak | Temporary or low-value accounts only |
| 36 – 59 | Fair | General online accounts |
| 60 – 79 | Strong | Email, social media, financial accounts |
| 80+ | Very Strong | Encryption keys, master passwords, high-security systems |
Passphrase vs Password
A passphrase is a sequence of random words (e.g., "bridge-crystal-dolphin-autumn") that serves as a password. The Password Generator supports both approaches:
| Aspect | Random Password | Passphrase |
|---|---|---|
| Example | k7#Bm9$xR2&pL4 | Bridge-Crystal-Dolphin-Autumn |
| Memorability | Difficult to memorize | Easier to memorize and type |
| Typing speed | Slow (mixed characters) | Faster (natural words) |
| Security per character | Higher per character | Lower per character, but longer overall |
| Best for | Password managers, auto-fill | Master passwords, manual entry |
A 4-word passphrase from a 200-word list provides approximately 31 bits of entropy, while a 6-word passphrase provides approximately 46 bits. For higher security, use 5 or more words and enable capitalization.
Common Password Mistakes
Avoid these common mistakes that make passwords easy to guess or crack:
- Reusing passwords — if one account is breached, attackers try the same password on other services (credential stuffing)
- Using personal information — names, birthdays, pet names, and addresses are easily guessable or found on social media
- Simple substitutions — replacing "a" with "@" or "o" with "0" is a well-known pattern that cracking tools account for
- Keyboard patterns — "qwerty", "asdfgh", and "zxcvbn" are among the most common passwords
- Too short — passwords under 12 characters can be brute-forced relatively quickly with modern hardware
- Appending numbers — adding "123" or the current year to a word does not meaningfully increase security
- Writing passwords down — sticky notes on monitors or plain text files on your computer are not secure storage
Instead of trying to create a "clever" password, use this Password Generator to create a truly random one, then store it in a password manager.
Related Security Tools
Combine password generation with these related tools for a complete security workflow:
- Hash Generator— generate MD5, SHA-1, SHA-256, and other hash digests for file integrity verification
- UUID Generator— create universally unique identifiers for database records and API keys