Skip to content
badges

Secure Password Generator

Generate strong, random passwords with custom length and character sets. Runs in your browser — nothing is ever sent to a server.

By Alex van den Berg · Last reviewed · How we test our tools

Password strength

4128

Include characters

10 Generated Passwords

Click any password to copy it

✓ Good password habits

  • Use a different password for every account
  • Use a password manager (Bitwarden, 1Password)
  • Enable two-factor authentication wherever possible
  • Aim for 16+ characters for important accounts
  • Check if your passwords appear in data breaches at haveibeenpwned.com

✗ Common mistakes to avoid

  • Using the same password on multiple sites
  • Password substitutions like p@ssw0rd (hackers know these)
  • Passwords based on personal info (birthdate, pet's name)
  • Short passwords — anything under 12 chars is at risk
  • Storing passwords in plain text or browser notes

How strong is your password? (Entropy explained)

Password strength is measured in bits of entropy — the logarithm of how many possible passwords there are. Every extra bit doubles the number of guesses required to brute-force the password.

Entropy Assessment Example
< 28 bitsVery weakabc123
28–35 bitsWeakSummer2025
36–59 bitsReasonableTr0ub4dor&3
60–127 bitsStrong16+ random chars
128+ bitsVery strong24+ random chars

Random password or passphrase? The maths

There are two sound ways to build a strong credential, and the right one depends on whether you will ever have to type it from memory:

  • Random characters (what this tool generates): each character drawn from a 94-symbol set adds log₂(94) ≈ 6.55 bits of entropy. A 16-character password is ≈ 105 bits — far beyond any realistic brute-force attack.
  • Random-word passphrases (Diceware style): each word drawn from the EFF long wordlist of 7,776 words adds log₂(7776) ≈ 12.9 bits. Five words ("maple-vivid-crater-onion-jukebox") is ≈ 64 bits — strong enough for a master password, and dramatically easier to memorise and type on a phone keyboard.

The rule of thumb: passwords you store in a manager should be random characters; the one password you must remember (the manager's master password) should be a 5–6 word passphrase. The words must come from a random source like dice or a generator — words you pick yourself ("correct horse" chosen by a human) cluster around common vocabulary and are much weaker than the maths suggests.

How attackers actually crack passwords

Understanding the two attack modes explains why the advice above works:

  • Online guessing — trying passwords against the login form. Any competent site throttles this to a handful of attempts, so even weak passwords survive. This is why attackers rarely bother.
  • Offline cracking — the dangerous one. After a data breach leaks a site's password hashes, attackers test guesses on their own hardware at billions of attempts per second. They don't guess randomly: they run leaked-password lists, dictionary words with common substitutions (p@ssw0rd), keyboard walks (qwerty123), and dates first. Human-invented passwords fall in seconds because they live in exactly those lists.

A truly random 16-character password isn't in any list and sits in a search space of 94¹⁶ ≈ 3.7 × 10³¹ possibilities — at a trillion guesses per second, exhausting it would take over a billion times the age of the universe. That is the entire case for generators: randomness defeats the wordlists that crack everything else.

The other half of the defence is uniqueness. Most account takeovers today are "credential stuffing" — replaying a password leaked from one site against hundreds of others. A password that is both random and unique makes both attacks irrelevant.

What official guidance says (NIST SP 800-63B)

The US National Institute of Standards and Technology publishes the digital-identity guidelines most security teams follow. Several of its recommendations surprise people because they reverse older corporate policy:

  • No forced periodic changes. Rotating passwords every 90 days encourages predictable patterns (Password1 → Password2). Change a password only when there is evidence of compromise.
  • Length beats composition rules. NIST recommends supporting long passwords and discourages mandatory symbol/number rules, which push users toward formulaic choices.
  • Check against breach lists. New passwords should be screened against known-compromised lists — you can check your existing ones at haveibeenpwned.com.
  • Allow paste. Blocking paste in password fields breaks password managers and makes security worse, not better.

Frequently Asked Questions

Is it safe to use an online password generator?

This generator runs entirely in your browser using the Web Crypto API (crypto.getRandomValues()). No passwords are ever transmitted to our server or logged anywhere. You can verify this by using your browser's developer tools to check network requests — you'll see none after the page loads.

What length should I use?

For most accounts, 16 characters mixing uppercase, lowercase, numbers, and symbols is excellent. For high-value accounts (banking, email, password manager master password), use 20–24 characters. For low-stakes accounts, 12 characters is acceptable.

Should I include symbols in my password?

Yes — adding symbols increases the character set size from 62 to 94, which roughly doubles password entropy. However, some sites disallow certain symbols; if a site rejects your password, uncheck symbols and regenerate. Note that a longer all-alphanumeric password is often stronger than a short password with symbols.

What does "no ambiguous characters" mean?

Ambiguous characters look similar in some fonts: 0 (zero) and O (capital O), l (lowercase L) and I (capital I), 1 (one) and | (pipe). Excluding them makes passwords easier to read and type manually — useful if you ever need to type a password from memory.

Is a passphrase better than a random password?

For anything you must remember and type, yes: a five-word random passphrase (≈64 bits of entropy) is far easier to memorise than 14 random characters of equivalent strength. For passwords stored in a password manager, fully random characters are fine because you never type them. See the entropy comparison in "Random password or passphrase?" above.

How often should I change my passwords?

Current NIST guidance recommends against forced periodic changes. Change a password when there is evidence of compromise, when a service you use reports a breach, or when you may have exposed it (shared it, typed it on an untrusted machine) — not on a calendar schedule. Forced rotation encourages weak, predictable patterns.

How do I remember a random password?

You don't — use a password manager. Tools like Bitwarden (free, open-source), 1Password, or your browser's built-in manager will remember them for you securely. Your only job is to remember one strong master password. This is the recommended approach by every major cybersecurity organisation.

Sources & further reading

Related Tools

badges