Password Generator
Random passwords, memorable passphrases & PINs โ true crypto randomness, entropy meter, crack-time estimates, 100% offline.
๐ Every selected type is guaranteed to appear, and randomness comes from your device's crypto generator with bias-free sampling.
Very strong
103 bits of entropy
A modern GPU rig (10ยนโฐ guesses/sec) would need about billions of years to crack this.
Fresh passwords โ pick any
Select at least one character type.
Generated on your device only โ never sent, stored, or logged.
๐ Golden rules: a different password for every account, a password manager to remember them, and two-factor authentication wherever it's offered.
๐Three kinds of strong, all generated correctly
Random passwordsbuilt from your device's cryptographic generator with bias-free sampling and a guarantee that every character type you tick actually appears. Passphrases โ four random words like Tiger-Lantern-Maple-42 โ that you can actually remember. PINs for devices and cards. Each comes with an honest entropy meter and crack-time estimate, five candidates at a time, and one-tap copy. Nothing ever leaves your device.
๐Everything you'd want to know
- True crypto randomness (rejection sampling โ no modulo bias, a flaw in many online generators).
- Every ticked character class guaranteed present โ no more 16-character passwords missing a digit.
- Look-alike exclusion (0/O, 1/l/I) for passwords you'll type by hand.
- Passphrase mode with a 300-word list, choice of separator, capitalization, and number suffix.
- Entropy in bits plus a crack-time estimate at realistic GPU attack speeds.
- Five fresh candidates per generation, copy buttons, and zero network activity.
๐งฎThe maths of password strength
Strength is about the space an attacker must search. A 16-character password over all four classes is ~104 bits โ billions of years at 10ยนโฐ guesses per second. What kills passwords isn't weak randomness maths but reuse: one leaked site hands attackers your everything.
๐กPassword hygiene that actually matters
- One account, one password โ reuse is how real people get hacked, not brute force.
- Use a password manager; your brain should remember one great passphrase (the manager's), not fifty.
- Turn on two-factor authentication everywhere โ it saves you even when a password leaks.
- Never 'personalise' a generated password with your name or birth year; you're shrinking the search space attackers try first.
๐ก Frequently Asked Questions
Is this password generator safe to use?+
Yes โ generation runs entirely in your browser using the Web Crypto API (crypto.getRandomValues), with rejection sampling for perfectly uniform picks. Nothing is transmitted, stored, or logged; you can even load the page, go offline, and generate.
How long should a password be in 2026?+
16 characters with mixed classes is the practical sweet spot (~104 bits โ uncrackable at any realistic speed). For anything you must memorise, a 4-word passphrase is stronger than a short 'complex' password and far easier to recall.
Are passphrases really secure?+
Four words chosen randomly from this tool's 300-word list give about 33 bits plus the number suffix โ and scaling to 6 words reaches ~50 bits. The security comes from random selection, not obscurity; picking your own 'random' words is much weaker.
What does the crack-time estimate assume?+
An offline attacker with modern GPU hardware guessing 10 billion passwords per second against a fast hash โ a tough, realistic scenario. Online attacks with rate limits are millions of times slower, so real-world time is even longer.
Why exclude look-alike characters?+
0/O and 1/l/I are indistinguishable in many fonts โ a nightmare when typing a Wi-Fi password from paper. The option removes them with a barely-measurable entropy cost.
Should I use the same strong password everywhere?+
Never โ when one site leaks (and sites leak constantly), attackers immediately try that password on email, banking, and social accounts. Unique passwords per site, stored in a password manager, is the entire game.