Generators

Password Generator

Generate strong random passwords or memorable passphrases. See entropy bits and estimated crack time — everything runs locally in your browser.

What is a password generator?

A password generator is a tool that builds a random credential for you, drawing from a pool of characters (for passwords) or common English words (for passphrases). The value of using one instead of making up a password yourself is simple: humans pick predictable patterns, machines don't. This generator uses your browser's Web Crypto API — the same cryptographically secure randomness source used by banking and authentication code — rather than the weak 'Math.random()' fallback some online generators use. You control the length and character classes for passwords, or the word count and separator for passphrases; the tool shows the exact entropy in bits and an estimated time to crack. Credentials are created on your device and never sent anywhere.

How to use the password generator

1
Choose password or passphrase
Use the tab at the top to pick a character-based password (harder to memorise, shortest) or a word-based passphrase (easier to type on phones, easier to remember if you ever need to).
2
Set the length or word count
For passwords, 16 is a good all-purpose length, 20+ for important accounts. For passphrases, 5 words is a reasonable floor, 6–8 is strong. The entropy reading below updates as you change the settings.
3
Pick your character classes or separator
Password mode: turn on uppercase, lowercase, numbers, and symbols as the target site allows — the generator guarantees at least one character from every class you enable. Passphrase mode: pick the separator (dash, dot, underscore, space) and whether to capitalize each word and append a random number.
4
(Optional) Exclude ambiguous characters
In password mode, this turns off the characters that look alike in many fonts (capital I, lowercase l, digit 1, capital O, digit 0). Useful if you'll ever need to type the password from a printed or screenshotted copy.
5
Check the strength and copy
The strength bar, entropy in bits, and estimated crack time tell you whether the credential is in the 'fair / strong / very strong' zone. Tap the copy icon to send it to your clipboard, then paste it straight into a password manager — don't rely on memorising it.

How strength and crack time are scored

password entropy    = length × log₂(charset_size)
passphrase entropy  = words  × log₂(wordlist_size)
 
charset sizes for each class:
  uppercase (A–Z)      = 26
  lowercase (a–z)      = 26
  digits    (0–9)      = 10
  symbols   (25 shown) = 25
  passphrase wordlist  = 544   (≈ 9.09 bits/word)
 
strength bands (bits of entropy):
  <40    Very weak      80–100  Strong
  40–60  Weak           ≥100    Very strong
  60–80  Fair
 
crack time (guesses needed):
  seconds = 2^(bits−1) ÷ 10,000,000,000

Entropy is measured in bits — each bit doubles the number of possible credentials an attacker must try. A 12-character alphanumeric-lowercase password has log₂(36¹²) ≈ 62 bits, which is 'fair'; a 16-character password with all four classes hits about 105 bits, which is beyond any practical brute-force attack. Passphrases trade per-unit density for memorability: a 6-word passphrase from this tool's 544-word list is about 54 bits, comparable to a random 9-character alphanumeric password. The crack-time estimate assumes an offline attack by a modern GPU rig making 10 billion guesses per second — a conservative upper bound for a determined attacker who has stolen a password hash.

Reference: NIST SP 800-63B — Password guidelines

Examples

Settings	Entropy & notes
Password · length 8 · lowercase only	~38 bits — Very weak Crackable offline in hours with commodity hardware. Don't use this profile.
Password · length 12 · upper + lower + digits	~71 bits — Fair Acceptable for low-risk accounts with rate-limited login. Prefer 16+ for anything you care about.
Password · length 20 · all four classes	~131 bits — Very strong Well beyond any realistic offline-crack threat. Use this profile for password-manager master passwords and high-value credentials.
Passphrase · 6 words + random number	~61 bits — Fair Easier to type on a phone and to transcribe in a pinch. Comparable to a 10-character alphanumeric password.
Passphrase · 8 words · capitalized + number	~79 bits — Strong Memorable XKCD-style passphrase suitable for vault master passwords. Roughly 500,000× stronger than the 6-word version.

Common use cases

Creating a unique password for each new account you sign up for
Rotating the password on an old account that has been in a data breach
Seeding a password manager with strong random passwords
Generating short-lived API tokens or one-off shared secrets
Producing a strong master password for your vault
Making PINs or short access codes when a site limits allowed characters

Related tools

Lorem Ipsum

Generate classic placeholder text in paragraphs, sentences, or words with HTML wrapping.

QR Code Generator

Turn any URL or text into a downloadable QR code with custom colors and error correction.

UUID Generator

Generate cryptographically random UUIDs (v4) or time-based UUIDs (v7) by the dozen.

Age Calculator

Calculate your exact age in years, months, and days from any date of birth.

Frequently asked questions

How long should my password be?

For everyday accounts, 16 characters with at least three character classes is a solid baseline. For high-value accounts (primary email, password manager master password, crypto wallet), use 20 or more. For anything storing real money or sensitive data, 24+ is reasonable and costs you nothing when you're storing it in a password manager anyway.

Are the passwords this tool generates really random?

Yes. The generator uses the browser's Web Crypto API (crypto.getRandomValues), which is a cryptographically secure pseudo-random number generator seeded from the operating system's entropy pool — the same source web browsers use for cryptographic keys. It is not 'Math.random', which is deterministic and predictable.

Is my password saved or sent anywhere?

No. The password is generated entirely on your device, lives only in the page's memory and your clipboard, and never touches a server. Close the tab and it's gone — copy it into a password manager before you do.

Should I include symbols?

Include symbols where the site accepts them — each symbol class adds entropy per character. Some legacy sites reject symbols or restrict to a subset; in that case increase the length to compensate (adding 2–3 characters of length roughly makes up for dropping symbols).

What does 'exclude ambiguous characters' do?

It removes the characters that look alike in common fonts — capital I, lowercase l, digit 1, capital O, and digit 0 — from the pool. That makes passwords easier to transcribe by hand or read from a screenshot, at a tiny cost to entropy (effective charset shrinks slightly). Leave it off if your password will only ever be pasted.

Is it safe to use an online password generator?

Only if the password is generated client-side, as this one is. A server-side generator could log or store the passwords it returns. View the page source to confirm — the generator here runs in a single client-side React component using crypto.getRandomValues; there is no network call involved in producing a password.

How often should I change my passwords?

Current NIST guidance says you should not rotate passwords on a schedule — rotation just leads to weaker passwords and reuse. Instead, change a password only when there's a reason: you suspect it's been exposed, you're notified of a breach on the site, or you're upgrading from a weak password to a generated one. Use a password manager so you can afford to make every one unique.

When should I use a passphrase instead of a password?

Use a passphrase when you might have to type the credential by hand — for example, a password-manager master password, a disk-encryption phrase, or a device login you use frequently. Word-based phrases are far easier to remember and to type on a phone. Stick with a character password for anything you'll only ever paste from the manager, because characters pack more entropy per keystroke.

How is the crack-time estimate calculated?

The tool assumes an offline attack at 10 billion guesses per second, roughly what a single modern GPU rig can do against a fast hash like MD5 or SHA-1. Well-configured hashing (bcrypt, Argon2, scrypt) is thousands to millions of times slower, so real-world cracking is usually much harder than the estimate. Online attacks — where the attacker has to send each guess to a login server — are also far slower. The estimate is a conservative upper bound on attacker capability.

Does the generator guarantee every character class I enable?

Yes. When you enable uppercase, lowercase, numbers, and symbols, the generator places at least one character from each enabled class and then fills the remaining length from the combined pool. This avoids the 'random 16-character password with zero numbers' edge case that sometimes fails strict site password rules.

Last updated 2026-04-20

What is a password generator?

How to use the password generator

Choose password or passphrase

Use the tab at the top to pick a character-based password (harder to memorise, shortest) or a word-based passphrase (easier to type on phones, easier to remember if you ever need to).

Set the length or word count

For passwords, 16 is a good all-purpose length, 20+ for important accounts. For passphrases, 5 words is a reasonable floor, 6–8 is strong. The entropy reading below updates as you change the settings.

Pick your character classes or separator

Password mode: turn on uppercase, lowercase, numbers, and symbols as the target site allows — the generator guarantees at least one character from every class you enable. Passphrase mode: pick the separator (dash, dot, underscore, space) and whether to capitalize each word and append a random number.

(Optional) Exclude ambiguous characters

In password mode, this turns off the characters that look alike in many fonts (capital I, lowercase l, digit 1, capital O, digit 0). Useful if you'll ever need to type the password from a printed or screenshotted copy.

Check the strength and copy

The strength bar, entropy in bits, and estimated crack time tell you whether the credential is in the 'fair / strong / very strong' zone. Tap the copy icon to send it to your clipboard, then paste it straight into a password manager — don't rely on memorising it.