Password Generator

Generate cryptographically secure random passwords. Customize length, character sets, and generate in bulk — everything runs privately in your browser.

Password Length 16

Uppercase (A–Z) Lowercase (a–z) Numbers (0–9) Symbols (!@#$%^&*) Exclude ambiguous (0O1lI)

Batch Generate

About the Password Generator

This password generator creates cryptographically secure random passwords using the Web Crypto API (crypto.getRandomValues()). Unlike Math.random(), which relies on a pseudo-random number generator (PRNG) that can be predicted if the internal state is known, crypto.getRandomValues() draws entropy from the operating system's secure random source — such as /dev/urandom on Linux/macOS or the CryptGenRandom API on Windows. This makes the generated passwords suitable for protecting sensitive accounts, encryption keys, and authentication tokens.

Why Strong Passwords Matter

Passwords remain the primary line of defense for most online accounts. A weak password — one that is short, uses a limited character set, or follows predictable patterns — can be cracked in seconds using modern hardware. GPU-accelerated brute-force attacks can test billions of password combinations per second against common hashing algorithms like MD5 or SHA-1. Even salted bcrypt hashes, which are designed to be slow, can fall to relatively short passwords. A 6-character lowercase-only password has only about 300 million possible combinations (26⁶), which can be exhausted in under a second. By contrast, a 16-character password using uppercase, lowercase, digits, and symbols draws from a pool of roughly 95 characters, yielding 95¹⁶ ≈ 4.4 × 10³¹ combinations — a number that would take centuries to brute-force even with the most powerful computing clusters available today.

Understanding Password Entropy

Entropy measures the unpredictability of a password in bits. It is calculated as log₂(pool_size ^ length), or equivalently length × log₂(pool_size). Here, pool_size is the number of distinct characters available and length is the password length. For example, a 16-character password drawn from 95 possible characters has entropy of 16 × log₂(95) ≈ 105 bits. Security researchers generally recommend a minimum of 60 bits of entropy for everyday accounts and 80+ bits for high-security applications such as master passwords for password managers, encryption passphrases, or server credentials.

Strength Assessment Criteria

This tool evaluates password strength based on entropy thresholds aligned with industry best practices:

Weak (below 40 bits): Vulnerable to brute-force attacks. Suitable only for throwaway accounts with no sensitive data.
Fair (40–59 bits): Provides basic protection. Adequate for low-value accounts but not recommended for anything important.
Good (60–79 bits): Strong enough for most everyday use cases — email, social media, shopping sites. Meets or exceeds many site requirements.
Strong (80+ bits): Highly resistant to brute-force attacks. Recommended for password manager master passwords, financial accounts, server access, and encryption keys.

Estimated Crack Time

The "estimated crack time" shown by this tool assumes an attacker performing an offline brute-force attack at a rate of 10 billion guesses per second (10 GH/s), which approximates a well-equipped GPU rig targeting fast hash algorithms. For slower algorithms like bcrypt or Argon2, actual crack times would be orders of magnitude longer. The estimate represents a worst-case scenario where the attacker must try every possible combination, and does not account for early termination via dictionary attacks or rainbow tables — which only succeed against non-random passwords.

Best Practices for Password Security

Use a unique password for every account. Credential stuffing attacks reuse leaked passwords across multiple services. A breach on one site should not compromise all your accounts.
Use a password manager. Tools like Bitwarden, 1Password, or KeePass securely store and auto-fill complex passwords so you only need to memorize one master password.
Enable two-factor authentication (2FA). Even the strongest password can be compromised via phishing. 2FA adds a second layer that requires physical access to a device or security key.
Avoid personal information. Names, birthdays, pet names, and dictionary words are among the first things attackers try. Truly random passwords like those generated here are immune to dictionary and pattern-based attacks.
Aim for 16+ characters. Length is the single most important factor in password strength. Each additional character exponentially increases the number of possible combinations.

Privacy & Security

All password generation happens entirely in your browser. No passwords are ever transmitted over the network, stored on servers, or logged in any way. You can verify this by inspecting the page source or monitoring network requests in your browser's developer tools. The source code uses only the Web Crypto API and standard JavaScript — no external libraries, analytics, or tracking scripts are involved in the generation process.