Password Generator
Create strong, random passwords that never leave your browser.
Tips for strong passwords
- Use at least 16 characters for important accounts.
- Mix all four character classes unless a site forbids symbols.
- Never reuse a password across sites, use a password manager.
- Everything here happens in your browser. Nothing is sent to a server.
Frequently asked questions
How long should my password be?
For accounts that support it, 16 characters or more is the modern recommendation, especially for password manager master passwords. Below 12 characters, brute-force attacks become tractable against weak hashes.
Are these passwords truly random?
Yes. The generator uses crypto.getRandomValues from the Web Crypto API, which is cryptographically secure. There is no predictable seed.
Should I avoid certain symbols?
Some legacy systems reject symbols like <, >, or quotes. Use the Exclude box to remove specific characters and still get a strong, site-compatible password.
Is the password sent or stored anywhere?
No. Generation happens entirely in your browser; nothing is uploaded or logged. Copy the password straight to your password manager.
The arithmetic of guessing
A password's strength is its search space: charset size raised to the power of length. Eight lowercase letters give 26^8 = 209 billion combinations... hours of work for offline cracking rigs that try tens of billions of hashes per second. Each added character multiplies the work by the charset size, which is why length dominates everything: 16 random characters from the full 94-symbol keyboard set (about 105 bits of entropy) is beyond any brute-force attack that physics will permit in our lifetimes. Complexity rules without length are theatre; length without human patterns is the actual defence.
Generator settings, justified
- 16+ characters for accounts that matter, 20+ for anything financial: the cost of extra length is zero when a manager does the typing.
- All four character classes on, unless a legacy site forbids symbols... in which case add length to compensate.
- "Exclude ambiguous characters" (l/1/I, O/0) only matters for passwords a human will read aloud or retype; for autofilled credentials, leave everything in.
- Uniqueness per site is non-negotiable. Credential-stuffing attacks replay leaked passwords everywhere; one reused password converts a forum breach into a banking incident.
What actually defeats strong passwords
Random 16-character passwords are not guessed; they are phished, intercepted by malware, or bypassed entirely when a service stores them badly. The mitigations are procedural: a password manager (which also refuses to autofill on lookalike domains... built-in phishing resistance), two-factor authentication on email and finance, and changing passwords on breach news rather than on a calendar. Forced periodic rotation, the old corporate ritual, is now explicitly recommended against by NIST: it produces Summer2026! patterns, not security.
Handling the awkward cases
Some credentials resist the standard pattern. Wi-Fi passwords get typed into TVs with remote controls: generate long but alphanumeric-only, and length compensates for the smaller alphabet. Shared team credentials (where unavoidable) belong in a manager's shared vault, generated once, never in chat history. PINs are a different game entirely... 4 digits hold only 10,000 possibilities, so the protection is the device's lockout policy, not the number; just avoid dates and patterns, which concentrate half of all real PINs into a few hundred values. And the answers to "security questions" are best treated as passwords too: generate gibberish, store it in the manager, and let your mother's maiden name remain unguessable because it is now vK4q-mWp9-xR2t.
Advertisement