Security · Privacy · Crypto
Password
Generator
Generate cryptographically secure passwords using your browser's built-in random number generator. Check strength, create passphrases, or test your own passwords.
16
Length
—
Entropy (bits)
—
Strength
Password Settings
Password Length
16
128
Character Sets
Uppercase
A–Z
Lowercase
a–z
Numbers
0–9
Symbols
!@#$%^&*
Options
Generate
at once
Passphrase Generator
Passphrases use random words — easier to remember, often stronger than short random passwords.
Words
Separator
Capitalize
Click Generate to create a passphrase.
Check Password Strength
Enter a password to analyze its strength. Nothing is sent to any server — all calculations happen in your browser.
Generated Password
Click Generate →
Strength
—
—
Length
—
Entropy
—
Char Pool
—
Crack Time
—
How to Create a Strong Password
A strong password is long, random, and uses a variety of character types. This generator uses the crypto.getRandomValues() API — the same cryptographic randomness used in security-critical applications — ensuring no predictable patterns.
Password Strength Guidelines
Minimum recommended length: 12 characters
Ideal length: 16–24 characters
Character sets: uppercase + lowercase + numbers + symbols
Entropy formula: E = L × log₂(N)
where L = length, N = character pool size
Crack time estimates (at 10 billion guesses/sec):
40 bits → seconds
50 bits → hours
60 bits → years
80 bits → centuries
100+ bits → practically uncrackable
What makes a password truly random?
True randomness in password generation comes from cryptographically secure random number generators (CSPRNGs). This tool uses window.crypto.getRandomValues(), which is seeded by the operating system's entropy pool (hardware events, timing jitter, etc.) — the same randomness used for TLS certificates and key generation. This is fundamentally different from Math.random(), which is a deterministic pseudorandom generator that could theoretically be predicted.
Are passphrases more secure than random passwords?
A 4-word passphrase from a 7,776-word list (Diceware) has about 51 bits of entropy. A random 12-character password with all character types has about 79 bits — more entropy, but much harder to remember. For passwords you type regularly (like a computer login), passphrases are often a better trade-off: high enough security and actually memorable. For passwords stored in a password manager, use long random strings since you never type them.
What is password entropy?
Password entropy measures how unpredictable a password is. Formula: E = log₂(N^L) = L × log₂(N), where L is password length and N is the size of the character pool. A 16-char password using all 4 character types (94 chars pool): E = 16 × log₂(94) ≈ 104 bits. Each additional bit of entropy doubles the number of guesses needed. 40 bits requires ~1 trillion guesses; 80 bits requires ~1.2 × 10²⁴ guesses.
Should I store passwords in a browser?
Browser-saved passwords are convenient but have risks: anyone with access to your device can see them, and browser data can sometimes be stolen by malware. Dedicated password managers (like Bitwarden, 1Password, or KeePass) provide better security: end-to-end encryption, cross-device sync, breach monitoring, and zero-knowledge architecture where even the provider can't see your passwords. At minimum, ensure your browser's password storage is protected by a strong master password.