Password Generator
Generate secure cryptographically random passwords up to 128 characters. Choose uppercase, lowercase, numbers, symbols. Shows entropy bits and strength rating.
About the Password Generator
A password generator creates cryptographically random passwords using your browser's built-in secure random number generator (window.crypto.getRandomValues), ensuring each password is unpredictable even if the generator itself is observed. Unlike pseudo-random generators (Math.random), cryptographic randomness provides security guarantees: an attacker who knows the algorithm and all previous outputs cannot predict the next output. Passwords can be customised by length (up to 128 characters), character sets (uppercase A-Z, lowercase a-z, digits 0-9, symbols), and optionally excluding visually ambiguous characters (0/O, 1/l/I). The calculator also shows the entropy in bits — a measure of password strength. NIST SP 800-63B recommends at least 112 bits of entropy for sensitive accounts; a 16-character password using all character types provides approximately 105 bits. Password security is critical in the USA, UK, and globally — data breach statistics show weak and reused passwords as the leading cause of account compromise.
Formula
Entropy (bits) = length × log₂(charset_size) | Charset: a-z(26), A-Z(26), 0-9(10), symbols(32) | Crack time ≈ 2^entropy / (2 × guesses_per_second)
How It Works
Random character selection: fill an array with n characters selected uniformly at random from the allowed character set. Entropy = log₂(charset_size^length) = length × log₂(charset_size). Character set sizes: lowercase only (26): 4.7 bits/char; lowercase + uppercase (52): 5.7 bits/char; + digits (62): 5.95 bits/char; + symbols (94): 6.55 bits/char. Examples: 12-char, all types (94): 12 × log₂(94) = 12 × 6.555 = 78.7 bits — acceptable for most uses. 16-char, all types: 104.9 bits — strong. 20-char, all types: 131.1 bits — excellent. For comparison: a dictionary word has ~10-15 bits; a 4-digit PIN has log₂(10000) = 13.3 bits; a 6-letter lowercase word has 6 × 4.7 = 28.2 bits — all easily brute-forced. Modern GPU clusters can attempt billions to trillions of guesses per second against hashed passwords.
Tips & Best Practices
- ✓Use a different password for every account. Password reuse is the most common way that breached credentials from one site enable attackers to compromise other accounts — a technique called credential stuffing. A password manager makes this practical.
- ✓Length matters more than complexity. A 20-character lowercase password (94 bits entropy) is stronger than a 10-character mixed-case, symbol, and digit password (66 bits). The NIST 2017 guidelines dropped mandatory complexity rules in favour of emphasising length and blocking known compromised passwords.
- ✓For passwords you need to memorise (like a password manager master password), consider a passphrase — 4-6 random common words separated by spaces or symbols. "correct-horse-battery-staple" has ~52 bits entropy (from ~2000 common words: log₂(2000^4) = 43.9 bits) and is far more memorable than an equivalent random character string.
- ✓The "Have I Been Pwned" service (haveibeenpwned.com) lets you check if your email or a password has appeared in known data breaches. Many password managers integrate this check automatically. A previously breached password should never be reused.
Who Uses This Calculator
Individuals creating new accounts and needing strong, unique passwords without manual effort. IT administrators generating initial credentials for employee accounts and system access. Developers creating random secrets, API keys, session tokens, and test credentials. Security-conscious users auditing and replacing weak or reused passwords across their accounts.
Optimised for: USA · UK · Canada · Australia · Calculations run in your browser · No data stored
Frequently Asked Questions
How secure is a randomly generated password?
Security is measured in entropy bits: log2(charset_size^length). A 16-character password using uppercase, lowercase, digits, and symbols (94 characters) has log2(94^16) ≈ 105 bits of entropy — essentially unbreakable by brute force even with the most powerful computers. NIST recommends at least 80 bits for sensitive accounts.
What makes a password strong?
Length is the most important factor, followed by character set diversity. A 20-character password with only lowercase letters has more entropy than a 10-character password using all character types. Avoid dictionary words, names, dates, and patterns like "Password123!" which are trivially cracked by dictionary attacks.
Should I use a password manager?
Yes. Using a password manager lets you generate and store a unique, long, random password for every site without needing to remember them. The master password should be a long passphrase (4+ random words). Popular options include Bitwarden (open source, free), 1Password, and KeePass.