Back to Tools
Password Generator
Generate cryptographically secure random passwords with custom length and character sets. Entropy scoring shows real strength. Nothing leaves your browser.
TL;DR. Set your desired length (16+ recommended), tick the character sets you want, and click Regenerate until you see Very Strong. The entropy bar reflects real math: length × log2(charset_size). The generator uses crypto.getRandomValues — the same cryptographically secure source your browser uses for TLS. Store the result in a password manager (Bitwarden or 1Password) and never reuse it across accounts.
864
Generated Password
Password StrengthWeak
Understanding password entropy
Entropy is the right way to measure password strength, not arbitrary rules like "must contain one uppercase and one special character." A password is strong when it is unpredictable, and entropy quantifies exactly how unpredictable it is in bits. Higher bits means more possible combinations an attacker must try.
The formula is simple: multiply the password length by the log base 2 of the character set size. A 16-character password drawn from 94 possible characters (upper, lower, digits, common symbols) has 16 × log2(94) ≈ 105 bits of entropy. To brute-force it, an attacker would need to try on average 2104 combinations — roughly 20 septillion attempts. Even at a billion guesses per second, that would take longer than the age of the universe.
Entropy per character by charset
| Character set | Pool size | Bits per char | Length for 100 bits |
|---|---|---|---|
| Lowercase only (a-z) | 26 | 4.70 | 22 chars for 100 bits |
| Upper + Lower (A-Za-z) | 52 | 5.70 | 18 chars for 100 bits |
| Upper + Lower + Digits | 62 | 5.95 | 17 chars for 100 bits |
| Full set + Symbols (94) | 94 | 6.55 | 16 chars for 100 bits |
| EFF diceware word (5 words) | 7776 per word | 12.9 per word | 8 words for 100 bits |
| Hex digit (0-9a-f) | 16 | 4.00 | Tokens, not passwords |
| Base58 (no 0OIl) | 58 | 5.86 | Bitcoin, friendly display |
| Base64 URL-safe | 64 | 6.00 | API tokens, JWTs |
Strength thresholds used by this tool
| Label | Entropy | Typical example | Practical risk |
|---|---|---|---|
| Weak | < 40 | 8 lowercase chars | Crackable in seconds |
| Medium | 40-60 | 10 chars, digits only | Crackable in hours to days |
| Strong | 60-80 | 12 chars, mixed case + digits | Crackable with significant resources |
| Very Strong | 80+ | 16 chars, full symbol set | Practically uncrackable with current hardware |
Common password mistakes and how to avoid them
- Long but predictable patterns: "aaaaaaaaaaaaaaaaaaaaaa" is 22 lowercase characters but has zero entropy because it is not random. Length only helps when the characters are independently and uniformly random. Always use a generator, never compose passwords yourself.
- Substituting letters with numbers: "P@ssw0rd" is in every major password list (rockyou, HIBP). Crackers use rule-based attacks that try these substitutions first. A list-based password with predictable substitutions provides almost no real security regardless of its apparent complexity score.
- Reusing passwords across sites: When a site is breached and its password database is dumped, attackers try those credentials against Gmail, banking sites, and social media within hours (credential stuffing). Use a unique password for every account. A password manager makes this practical.
- Ignoring breach notifications: Sign up for Have I Been Pwned (haveibeenpwned.com) to get alerts when your email appears in a new breach. Change the affected password immediately. Most breaches stay secret for months before becoming public.
- Forcing password rotation on a schedule: NIST 800-63B (the current federal US standard) explicitly says do not force periodic password changes unless there is evidence of compromise. Mandatory rotation leads to weak incremental passwords. Change only when there is a reason.
Frequently asked questions
How long does a password need to be to be secure?+
Security is measured in entropy bits, not just length. A 20-character lowercase-only password has only 94 bits of entropy (20 x 4.7 bits per char) - decent but not great. A 16-character password using the full 94-character set (upper, lower, digits, symbols) has about 105 bits - considered very strong. For most web accounts, 80 bits minimum is the practical floor. For long-lived credentials like SSH keys, encryption passphrases, or master passwords, aim for 128 bits or more. The default 16 characters with all character types in this generator produces roughly 105 bits.
What is password entropy and how is it calculated?+
Entropy measures how unpredictable a password is, in bits. The formula is: entropy = length x log2(charset_size). With lowercase only (26 chars), each character contributes 4.7 bits. Add uppercase (52 chars total) and you get 5.7 bits per char. Add digits (62 chars) for 5.95 bits, and full symbols (94 chars) for 6.55 bits per char. To reach 100 bits of entropy: you need 22 lowercase-only chars, 18 chars with upper+lower+digits, or just 16 chars with the full symbol set. This tool displays a strength label based on these entropy thresholds.
Should I use a passphrase instead of a random password?+
It depends on the use case. An EFF diceware passphrase of 5 random words gives about 65 bits of entropy and is significantly easier to memorize and type. Six words gives 78 bits, seven words gives 90 bits. For a master password you type regularly, a 6-7 word passphrase is often a better experience than a 20-character random string. For passwords stored in a password manager that you never type by hand, a 16-20 character fully random password from this generator is ideal because a manager handles the memorization for you.
Does NIST still recommend rotating passwords regularly?+
No. NIST Special Publication 800-63B (2017, updated 2024) explicitly states that password rotation should not be required unless there is evidence of compromise. Forced rotation leads users to make predictable incremental changes (Password1 to Password2) which actually weakens security. The current NIST guidance is: use a long, unique, randomly generated password for each account, store it in a password manager, and change it only if you have reason to believe it was exposed in a breach. Services like Have I Been Pwned (HIBP) can alert you when your email appears in a data breach.
What password manager should I use to store generated passwords?+
Bitwarden is the top open-source option - it is free for personal use, audited, and self-hostable. 1Password is the leading commercial option with strong family and team features. Both support browser extensions that auto-fill passwords and can generate strong passwords themselves. KeePassXC is a good offline-only option if you prefer not to use a cloud service. The key requirement is that it uses strong encryption (AES-256 or equivalent) and requires a strong master password. Whatever you choose, enable two-factor authentication on the vault itself.
Is the password generated in my browser or sent to a server?+
Entirely in your browser. This tool uses the Web Crypto API (crypto.getRandomValues) which is a cryptographically secure random number generator built into every modern browser. No password, no input, nothing leaves your machine. There is no server, no logging, and no account required. You can disconnect from the internet and the tool still works once the page is loaded.
Related security tools
- Hash Generator
Compute MD5 / SHA-1 / SHA-256 / SHA-512 digests
- UUID Generator
Generate RFC 4122 v1 and v4 UUIDs
- Encrypt / Decrypt
AES encryption and decryption in the browser
- Base64 Converter
Encode and decode Base64 strings