Password generator

Generate secure passwords with configurable length and character sets. Uses cryptographic randomness — nothing is stored or transmitted.

Very strong

What makes a strong password?

Length is the single most important factor. Modern NIST guidelines (SP 800-63B) recommend a minimum of 8 characters for user-chosen passwords, but for randomly generated passwords, 16 characters or more is ideal. Each additional character multiplies the number of possible combinations exponentially.

Complexity rules — requiring uppercase, lowercase, digits, and symbols — are less effective than simply increasing length. A 20-character lowercase-only password has more entropy than a 10-character password using all character types. That said, mixing character sets is still beneficial when length is constrained.

The passphrase approach is increasingly recommended: four to six randomly selected dictionary words (e.g. "correct-horse-battery-staple") produce a password that's both highly entropic and memorable. NIST now explicitly encourages passphrases and discourages forced complexity rules and mandatory password rotation, both of which tend to produce weaker passwords in practice because users resort to predictable patterns.

Whatever method you use, the golden rule is: never reuse passwords across accounts. A password manager makes this practical.

Password entropy explained

Entropy measures the randomness in a password, expressed in bits. The formula is E = L × log₂(C), where L is the password length and C is the size of the character set. A 16-character password drawn from 95 printable ASCII characters has about 16 × 6.57 ≈ 105 bits of entropy.

Security researchers generally recommend 80+ bits of entropy for important accounts and 128+ bits for cryptographic keys. At 80 bits, there are over 1024 possible passwords — enough to resist brute-force attacks for decades even with purpose-built hardware. This tool calculates entropy automatically and shows the result as a strength bar: weak (<40 bits), fair (40–60), strong (60–80), and very strong (80+).

Frequently asked questions

Should I use a password manager?
Yes — a password manager is the single best thing you can do for your online security. It lets you use a unique, strong password for every account without having to remember them. Popular options include 1Password, Bitwarden (open source), and KeePass (offline). Use a long, memorable passphrase as your master password, and enable two-factor authentication on the manager itself.
How long would it take to brute-force my password?
It depends on the password's entropy (randomness). A 12-character password using uppercase, lowercase, digits, and symbols has about 79 bits of entropy — roughly 6 × 1023 possible combinations. At 100 billion guesses per second (a realistic rate for offline hash cracking with GPUs), that would take about 190,000 years. At 16 characters with the same character set, it jumps to about 105 bits of entropy and would take longer than the age of the universe. Length is the single most effective defence.
Are passphrases better than random strings?
For passwords you need to memorise (like a master password), passphrases are better because they offer high entropy while remaining memorable. Four to six random words like "correct-horse-battery-staple" give you 50–80 bits of entropy and are far easier to type and recall than x7@Qm!9zB. For passwords stored in a password manager, random strings are fine — you'll never type them manually, so maximum entropy per character is what matters.

Related tools

UUID generatorGenerate v4 UUIDs in bulk. Copy as array or plain text./generators/uuidHash generatorGenerate MD5, SHA-1, SHA-256, and SHA-512 hashes./generators/hashSlug generatorConvert any text into a URL-friendly slug./generators/slugBase64 encoder/decoderEncode text to Base64 or decode Base64 to text./converters/base64