Password Generator
Generate cryptographically secure random passwords using crypto.getRandomValues. Customize length, character sets, and quantity.
Options
Charset size: 62 chars · Entropy: 95 bits ✅ Good
FAQ
How are passwords generated?▼
Passwords are generated using crypto.getRandomValues(), the browser's cryptographically secure random number generator. This is the same API used by password managers.
Are my passwords stored or transmitted?▼
No. All generation happens locally in your browser. Passwords are never sent to any server.
What is entropy?▼
Entropy (measured in bits) quantifies unpredictability. A password with 128 bits of entropy would require 2¹²⁸ guesses to crack by brute force — effectively unbreakable with current hardware.
Frequently Asked Questions
How secure are the generated passwords?
Passwords are generated using the browser's crypto.getRandomValues() API — a cryptographically secure pseudorandom number generator (CSPRNG). They are never sent to any server.
What is password entropy?
Entropy measures password strength in bits: log2(charset_size ^ length). A value above 80 bits is strong; above 100 bits is very strong for most use cases.
How long should my password be?
For most accounts, 16+ characters with mixed case, numbers, and symbols provides excellent security. For high-value accounts (banking, email), use 20+ characters.
Why Most Passwords Are Insecure
The most common passwords in data breach databases are still123456,password, andqwerty. Human-chosen passwords are predictable: we reuse patterns, substitute letters with numbers (p@ssw0rd), and base passwords on personal information that attackers can find on social media.
Modern GPUs can test billions of password guesses per secondagainst a stolen hash file. A 6-character lowercase password has only 308 million combinations — crackable in under a second. A random 20-character password mixing all character classes has 1038 combinations — cracking it would take longer than the age of the universe.
Password Strength by Length & Character Set
| Length | Lowercase only | + Uppercase & Digits | + Symbols (all) |
|---|---|---|---|
| 8 | 38 bits ❌ | 48 bits ⚠️ | 53 bits ⚠️ |
| 12 | 56 bits ⚠️ | 72 bits ✅ | 79 bits ✅ |
| 16 | 75 bits ✅ | 96 bits ✅ | 105 bits ✅ |
| 20 | 94 bits ✅ | 120 bits 🛡️ | 131 bits 🛡️ |
Entropy in bits = log₂(charsetlength). ≥80 bits = strong; ≥100 bits = very strong.
Password Security Best Practices
- Use a password manager (Bitwarden, 1Password, KeePass) to store unique random passwords for every site — you only need to remember one master password.
- Never reuse passwords — if one site is breached, attackers try the same credentials everywhere (credential stuffing).
- Enable two-factor authentication (2FA) — even a strong password can be phished; a TOTP code or hardware key adds a second layer.
- Use at least 16 characters for new accounts; 20+ for email, banking, and password manager master passwords.
- Never store passwords in plaintext — databases must store only salted hashes using bcrypt, scrypt, or Argon2.