Password Generator
Generate a cryptographically random password instantly — choose your length, character sets, and options, then copy with one click.
What Makes a Password Strong?
Password strength comes down to two things: length and unpredictability. Security researchers measure this as entropy — the number of bits required to exhaust all possible guesses. Every additional character and every additional character type multiplies the difficulty exponentially.
Entropy and Brute-Force Resistance
Entropy is calculated as $\log_2(C^L) = L \times \log_2(C)$ where $C$ is the number of possible characters and $L$ is the password length. The strength meter above shows live entropy as you change settings.
| Password Example | Charset Size | Length | Entropy | Est. crack time at 1T guesses/sec |
|---|---|---|---|---|
dog |
26 | 3 | ~14 bits | Instant |
Dog7 |
62 | 4 | ~24 bits | Instant |
Dog7!xQp |
88 | 8 | ~52 bits | ~50 minutes |
| 12-char random (alpha+num) | 62 | 12 | ~71 bits | ~75 years |
| 16-char random (alpha+num) | 62 | 16 | ~95 bits | Millions of years |
| 20-char random (all types) | 88 | 20 | ~130 bits | Heat death of the universe |
The leap from 8 to 16 characters isn't double the security — it's $62^8$ (~218 trillion) times harder to crack.
Why "Complex but Short" Passwords Fail
Dictionary-based attacks don't guess character-by-character — they guess entire words and known substitution patterns. P@ssw0rd falls in seconds because every attacker's wordlist includes it. p4$$w0Rd! fails for the same reason. Randomness is what defeats brute force, not a capital letter and an exclamation mark at the end.
Passphrase vs. Random Password
A passphrase like correct-horse-battery-staple achieves reasonable entropy through length. A 16-character fully random password achieves ~95 bits — significantly stronger while taking up less space. For anything stored in a password manager, fully random wins every time. Passphrases are better only when you need to memorize the password.
Using This Tool Safely
All passwords generated here are created entirely in your browser using the Web Crypto API (window.crypto.getRandomValues) — no data is ever sent to a server. This is the same cryptographically secure random number generator (CSPRNG) used by security-sensitive applications and operating systems.
The generator also guarantees at least one character from each enabled character type is included, using a Fisher-Yates shuffle so the positions of those guaranteed characters are equally random.
Recommended workflow:
- Generate with at least 16 characters, all four character types enabled
- Copy immediately and paste into your password manager
- Never reuse — generate a fresh password for each account
Frequently Asked Questions
How long should my password be?
For passwords stored in a manager: 16-20 random characters gives 95-130 bits of entropy, well beyond what any near-future hardware can crack. For passwords you must memorize, use a 4-6 word passphrase instead.
Is this password generator truly random?
Yes. This tool uses window.crypto.getRandomValues(), which draws from the OS-level cryptographically secure RNG. It is not predictable the way Math.random() is. No seed, no pattern, no repeatability.
Should I include symbols?
Symbols increase the charset from 62 to ~88 characters, adding roughly 0.5 bits of entropy per character. For most accounts, a longer alphanumeric password is equally strong and far easier to type on mobile keyboards. Enable symbols when a site requires them or when you want to maximize entropy for a critical account.
Why exclude ambiguous characters?
Characters like I, l, 1, O, and 0 are nearly indistinguishable in many fonts. If you ever need to read or type a password manually, excluding them eliminates transcription errors. At lengths of 12+, the effect on overall security is negligible.
Can I generate passwords in bulk?
Yes — the Bulk Generator above generates up to 50 passwords at once using the same settings. Useful for provisioning multiple accounts, creating API keys, or generating a shortlist to choose from.
What's the best way to store these passwords?
Use a password manager — Bitwarden, 1Password, or KeePassXC are widely recommended. They encrypt your entire vault behind one strong master password so you only need to remember one thing. Never store passwords in plaintext notes, spreadsheets, or browser autofill without a master password.
