Password Generator
Generate secure passwords with custom options
Password Options
Complete Guide to Password Security
Everything you need to understand password entropy, generation algorithms, and real-world security — from fundamentals to advanced use cases.
Understanding Password Strength
Password Strength Fundamentals
- Entropy: the measure of unpredictability — higher entropy = stronger password
- Entropy formula: E = L × log₂(C) where L = length, C = character pool size
- 8-char lowercase only: log₂(26⁸) ≈ 37.6 bits — crackable in minutes
- 12-char mixed case + digits + symbols: log₂(94¹²) ≈ 78.9 bits — very strong
- 16-char mixed: ≈ 105 bits — practically uncrackable by brute force
- Every additional character multiplies combinations by the character pool size
- Randomness source: crypto.getRandomValues() (cryptographically secure) vs Math.random() (NOT suitable for passwords)
Character Pool Sizes
- Lowercase letters (a–z): 26 characters
- Uppercase letters (A–Z): 26 characters → pool of 52 with lowercase
- Digits (0–9): 10 characters → pool of 62 with letters
- Common symbols (!@#$%^&*): 8 characters → pool of 70
- Extended symbols (full printable ASCII): 32 symbols → pool of 94
- Passphrase (random words): 7,776 words per die (EFF wordlist) → each word adds ~12.9 bits
- 4-word passphrase: ≈ 51.7 bits
- 6-word passphrase: ≈ 77.5 bits
- Ambiguous characters (0, O, l, 1, I): removed in readable mode for clarity
Generator Features & Algorithms
Generation Algorithms
- crypto.getRandomValues(): CSPRNG — cryptographically secure, not predictable
- Character selection: random index into character pool for each position
- Fisher-Yates shuffle: ensures each character appears before any repeats (optional)
- Passphrase mode: randomly selects words from a curated wordlist
- Memorable format: consonant-vowel-consonant pattern for pronounceable passwords
- No-ambiguous mode: excludes 0/O/l/1/I/o for easy visual reading
- Pattern mode: allows custom patterns (e.g., Lll-ddd-Lll for mixed format)
Entropy Reference Table
- 8 chars, lowercase only: 37.6 bits — crackable
- 8 chars, mixed case + digits: 47.6 bits — weak
- 12 chars, mixed case + digits: 71.5 bits — moderate
- 12 chars, mixed + symbols (94): 78.9 bits — strong
- 16 chars, mixed + symbols: 105.2 bits — very strong
- 20 chars, mixed + symbols: 131.5 bits — excellent
- 4-word passphrase (EFF): 51.7 bits — moderate
- 6-word passphrase (EFF): 77.5 bits — strong
- 8-word passphrase (EFF): 103.4 bits — very strong
Cracking Time Estimates
- 40-bit password: < 1 second (consumer GPU)
- 50-bit password: ~1 hour (consumer GPU)
- 60-bit password: ~1 year (consumer GPU)
- 70-bit password: ~1,000 years (consumer GPU)
- 80-bit password: ~1 billion years (consumer GPU)
- 1 trillion guesses/sec (NSA-class): 70 bits still takes ~1,024 years
- Offline attack (bcrypt): 10,000× slower than plain hash
- Online attack (rate-limited): 3 attempts/sec → even weak passwords survive hours
- Quantum computer (Grover's): halves effective bits — 128-bit needed for quantum-resistant
Real-World Applications
Personal Security
- Generate unique passwords for each website account
- Replace reused passwords identified in password audit
- Create strong PIN alternatives for device encryption
- Generate memorable passphrases for master password manager
- Secure Wi-Fi network passwords (WPA2 requires ≥ 8 chars)
- Create recovery code alternatives for 2FA backup
- Generate temporary passwords for account sharing
- Secure home NAS and router admin accounts
Business & IT Administration
- Generate service account passwords for CI/CD systems
- Create API keys and secret tokens for applications
- Set initial passwords for new employee accounts
- Generate encryption keys for file archives
- Create database passwords meeting complexity policies
- Set secure SMTP/IMAP mail credentials
- Generate SSH key passphrases for server access
- Create VPN pre-shared keys for site-to-site connections
Development & DevOps
- Generate JWT signing secrets (256-bit = 32 random chars)
- Create Django/Rails SECRET_KEY values
- Generate session secret tokens for web frameworks
- Create Redis/database authentication passwords
- Generate webhook signing secrets for API callbacks
- Create encryption keys for AWS KMS / HashiCorp Vault
- Seed test data with realistic-looking password hashes
- Generate test API keys that look real but are non-functional
Security Research & Testing
- Create test passwords covering all complexity policy rules
- Generate passwords at exact bit-strength thresholds for entropy testing
- Test password meters and strength estimators
- Create wordlist samples for dictionary attack simulations
- Generate rainbow table test inputs
- Validate password policy enforcement in authentication systems
- Test copy-to-clipboard functionality in web apps
- Verify secure password storage (bcrypt, Argon2, PBKDF2) implementations
Best Practices
Password Security Rules
- Minimum 12 characters — 16+ for critical accounts (banking, email, VPN)
- Use all character types: lowercase + uppercase + digits + symbols
- Never reuse passwords across sites — each account needs unique credentials
- Use a password manager (Bitwarden, 1Password, KeePass) — don't memorize
- Enable 2FA/MFA on all important accounts — even weak password + 2FA > strong password alone
- Never store passwords in plain text files, notes apps, or browser autofill for sensitive accounts
- Change passwords immediately after any suspected breach (check haveibeenpwned.com)
- Rotate shared credentials (Wi-Fi, server accounts) when team members leave
What to Avoid
- Avoid dictionary words — 'sunshine123' is cracked instantly
- Avoid personal info: names, birthdays, pet names, addresses
- Avoid keyboard patterns: 'qwerty', '123456', 'asdfgh'
- Avoid simple substitutions: 'P@ssw0rd' is in every cracking dictionary
- Avoid short passwords: 8 chars is crackable — 12+ is minimum
- Avoid the same password with different numbers appended ('site1', 'site2')
- Avoid saving passwords in browser — use a dedicated manager instead
- Avoid sharing passwords via email or SMS — use encrypted channels
Password Examples by Category
Password Strength Comparison
- "password" → 0 bits of real entropy, cracked instantly
- "P@ssw0rd" → ~28 bits effective, in every dictionary
- "Tr0ub4dor&3" (famous XKCD password) → ~28 bits, memorable but known
- "correct horse battery staple" (passphrase) → ~44 bits, strong & memorable
- "jX9#mK2!vP7@" (12-char random) → 78.9 bits — strong
- "qR$7kLmN2#vWxZpT" (16-char random) → 105.2 bits — very strong
Common Account Types & Recommended Strength
- Email account (recovery for everything): 20 chars, symbols, no reuse
- Password manager master: 6-word passphrase (EFF)
- Banking/financial: 16+ chars, symbols, unique
- Social media: 14+ chars (account takeover is common)
- Work VPN/SSO: 14+ chars, meets corporate policy
- Developer API keys: 32 random alphanumeric chars (base64)
- Home Wi-Fi WPA2: 20+ chars (rarely typed manually)
- Streaming services: 12+ chars (lower risk but still unique)
Generated Password Samples
- 12-char standard: Kx9#mP2!jRvN (78.9 bits)
- 16-char strong: qR$7kLmN2#vWxZpT (105 bits)
- 20-char excellent: Hj#3vNkX9@mWqL7!pRcT (131 bits)
- 4-word passphrase: correct-horse-battery-staple (52 bits)
- 6-word passphrase: purple-tornado-seven-lamp-crispy-moon (78 bits)
- PIN (8-digit): 47392815 (26.6 bits — use only with lockout)
Frequently Asked Questions
Is the password generated on my device or your server?▾
Entirely on your device. The password generator uses your browser's built-in crypto.getRandomValues() API — a cryptographically secure random number generator. No data is sent to any server. The generated password exists only in your browser's memory until you copy it.
Why use crypto.getRandomValues() instead of Math.random()?▾
Math.random() is a pseudorandom generator not designed for security — its output can be predicted if an attacker knows the seed. crypto.getRandomValues() uses the operating system's entropy source (hardware noise, timing events), which is cryptographically unpredictable and suitable for security-sensitive applications.
How long should my password be?▾
For most accounts: 12–16 characters with mixed case, digits, and symbols. For critical accounts (email, banking, password manager): 20+ characters or a 6-word passphrase. The NIST (2024 guidelines) recommends length over complexity — a longer simpler password beats a short complex one.
Are passphrases more secure than random passwords?▾
It depends on the word count. A 6-word passphrase from a 7,776-word list has ~77.5 bits of entropy — equivalent to a 12-character fully random password. The advantage is memorability. A 4-word passphrase (~52 bits) is weaker than a good 12-char random password. For password managers, use 6+ words.
Should I use a password manager?▾
Yes — absolutely. Humans can't memorize 100+ unique strong passwords. A password manager (Bitwarden is free and open-source; 1Password and Dashlane are excellent paid options) stores all your passwords encrypted behind one master password. Enable 2FA on the manager itself.
How often should I change my passwords?▾
NIST now recommends against mandatory periodic rotation (it leads to weaker passwords like 'Password1!' → 'Password2!'). Change passwords when: a breach is confirmed, you suspect unauthorized access, you shared a password and the relationship ended, or you're reusing a password and want to stop.