๐Ÿ”‘

Password Generator

Random passwords, memorable passphrases & PINs โ€” true crypto randomness, entropy meter, crack-time estimates, 100% offline.

816 ยท recommended64

๐Ÿ”’ Every selected type is guaranteed to appear, and randomness comes from your device's crypto generator with bias-free sampling.

Very strong

103 bits of entropy

A modern GPU rig (10ยนโฐ guesses/sec) would need about billions of years to crack this.

Fresh passwords โ€” pick any

Select at least one character type.

Generated on your device only โ€” never sent, stored, or logged.

๐Ÿ” Golden rules: a different password for every account, a password manager to remember them, and two-factor authentication wherever it's offered.

๐Ÿ”Three kinds of strong, all generated correctly

Random passwordsbuilt from your device's cryptographic generator with bias-free sampling and a guarantee that every character type you tick actually appears. Passphrases โ€” four random words like Tiger-Lantern-Maple-42 โ€” that you can actually remember. PINs for devices and cards. Each comes with an honest entropy meter and crack-time estimate, five candidates at a time, and one-tap copy. Nothing ever leaves your device.

๐Ÿ“ŠEverything you'd want to know

  • True crypto randomness (rejection sampling โ€” no modulo bias, a flaw in many online generators).
  • Every ticked character class guaranteed present โ€” no more 16-character passwords missing a digit.
  • Look-alike exclusion (0/O, 1/l/I) for passwords you'll type by hand.
  • Passphrase mode with a 300-word list, choice of separator, capitalization, and number suffix.
  • Entropy in bits plus a crack-time estimate at realistic GPU attack speeds.
  • Five fresh candidates per generation, copy buttons, and zero network activity.

๐ŸงฎThe maths of password strength

entropy bits = length ร— logโ‚‚(alphabet size)
4 random words from 300 โ‰ˆ 33 bits + suffix โ€” comparable to 10 random characters

Strength is about the space an attacker must search. A 16-character password over all four classes is ~104 bits โ€” billions of years at 10ยนโฐ guesses per second. What kills passwords isn't weak randomness maths but reuse: one leaked site hands attackers your everything.

16 characters, all classes: ~104 bits โ†’ effectively uncrackable. An 8-character lowercase-only password: 37.6 bits โ†’ cracked in seconds. The meter shows exactly where yours lands.

๐Ÿ’กPassword hygiene that actually matters

  • One account, one password โ€” reuse is how real people get hacked, not brute force.
  • Use a password manager; your brain should remember one great passphrase (the manager's), not fifty.
  • Turn on two-factor authentication everywhere โ€” it saves you even when a password leaks.
  • Never 'personalise' a generated password with your name or birth year; you're shrinking the search space attackers try first.

๐Ÿ’ก Frequently Asked Questions

Is this password generator safe to use?+

Yes โ€” generation runs entirely in your browser using the Web Crypto API (crypto.getRandomValues), with rejection sampling for perfectly uniform picks. Nothing is transmitted, stored, or logged; you can even load the page, go offline, and generate.

How long should a password be in 2026?+

16 characters with mixed classes is the practical sweet spot (~104 bits โ€” uncrackable at any realistic speed). For anything you must memorise, a 4-word passphrase is stronger than a short 'complex' password and far easier to recall.

Are passphrases really secure?+

Four words chosen randomly from this tool's 300-word list give about 33 bits plus the number suffix โ€” and scaling to 6 words reaches ~50 bits. The security comes from random selection, not obscurity; picking your own 'random' words is much weaker.

What does the crack-time estimate assume?+

An offline attacker with modern GPU hardware guessing 10 billion passwords per second against a fast hash โ€” a tough, realistic scenario. Online attacks with rate limits are millions of times slower, so real-world time is even longer.

Why exclude look-alike characters?+

0/O and 1/l/I are indistinguishable in many fonts โ€” a nightmare when typing a Wi-Fi password from paper. The option removes them with a barely-measurable entropy cost.

Should I use the same strong password everywhere?+

Never โ€” when one site leaks (and sites leak constantly), attackers immediately try that password on email, banking, and social accounts. Unique passwords per site, stored in a password manager, is the entire game.

๐Ÿ”— Related Tools