Cryptographically random passwords that never leave your browser. Generator, passphrase builder, and strength checker all included.
🎲
Password Generator
Click Generate
Strength—
Length16
How many1
📝
Passphrase Generator
Click Generate
Words5
Separator
A 5-word passphrase has more entropy than a 10-character random password and is much easier to remember.
🔍
Password Strength Checker
Enter your password
Strength—
Estimated Crack Time
—
What Makes a Password Strong?
Password strength is determined by entropy — a mathematical measure of how unpredictable the password is, expressed in bits. Entropy depends on two things: the length of the password and the size of the character set it's drawn from.
A 12-character password using only lowercase letters (26 possible characters per position) has 26¹² ≈ 95 trillion combinations. Adding uppercase, numbers, and symbols expands the character set to ~94 characters: 94¹² ≈ 475 septillion combinations. But length dominates: a 20-character lowercase-only password has more entropy than a 12-character mixed-character password.
Password Entropy and Crack Times
Entropy is measured in bits, where each bit doubles the number of possible combinations. A modern GPU can attempt around 10 billion password guesses per second against a poorly hashed database. At that speed:
40 bits of entropy ≈ 1 trillion combinations → cracks in about 2 minutes.
60 bits of entropy ≈ 1 quintillion combinations → cracks in about 3,000 years.
80 bits of entropy → cracks in about 36 million years.
100 bits of entropy → cracks in about 4 trillion years.
Our strength checker calculates approximate entropy based on your password's length and character types and shows an estimated crack time in plain language.
Passphrases vs. Random Character Passwords
A passphrase — multiple random words like "maple-frozen-river-echo-ghost" — can match or exceed the security of a random character password while being far easier to remember. A 5-word passphrase drawn from a 2,000-word list has approximately log₂(2000⁵) ≈ 55 bits of entropy — more than a typical 10-character mixed-character password.
Passphrases shine for accounts you type regularly: computer logins, primary email, and password manager master passwords. For everything else, your password manager can generate and store random character passwords without you ever needing to memorize them.
How Attackers Crack Passwords
Understanding attack methods explains why the security rules exist:
Dictionary attacks — Try common words, names, keyboard patterns (qwerty, 123456), and known passwords from breach databases. Most commonly used passwords are already known.
Credential stuffing — Use stolen username/password pairs from one breach to try logging in elsewhere. This is why password reuse is catastrophic — one breach exposes every account using that password.
Brute force — Try every possible combination. Feasible for short passwords; impractical for long ones due to exponential growth.
Rainbow tables — Precomputed hash lookup tables to speed cracking. Defeated by modern "salted" hashing used in reputable services.
Why a Password Manager Is Essential
Using a unique, random password for every account is the single most impactful thing you can do for your digital security. The problem: no human can memorize dozens of 16-character random passwords. The solution: a password manager stores all passwords in an encrypted vault and auto-fills them, so you only need to remember one strong master password.
Reputable options include Bitwarden (free, open-source, audited), 1Password, and the built-in managers in Chrome, Safari, and Firefox. All of these are safer than reusing passwords or writing them down.
Two-Factor Authentication: The Second Line of Defense
Even a strong, unique password can be compromised if a service suffers a breach. Two-factor authentication (2FA) adds a second verification step — usually a time-based code from an authenticator app — so that possessing your password alone is not enough to log in.
Authenticator apps like Google Authenticator, Authy, and Microsoft Authenticator generate 6-digit codes that change every 30 seconds. These are more secure than SMS-based 2FA, which is vulnerable to SIM-swapping attacks. Enable 2FA on every account that offers it, prioritizing email, banking, and work accounts.
How This Password Generator Works
This generator uses the browser's crypto.getRandomValues() API, defined by the W3C Web Cryptography specification and implemented in all modern browsers. It draws randomness from the operating system's entropy pool, which collects unpredictable data from hardware timing, interrupt events, and other physical sources.
This is categorically different from Math.random(), which uses a deterministic pseudorandom algorithm and can theoretically be predicted given the right initial conditions. crypto.getRandomValues() is the same source used by cryptographic libraries in banking, VPNs, and security software.
Password Requirements by Account Risk Level
Not every account needs the same level of protection. A practical framework:
Critical accounts (email, banking, work login, password manager) — 16+ random characters or a 5+ word passphrase; 2FA enabled; never reused.
Medium-risk accounts (online stores, streaming, social media) — 12+ characters; unique per site via your password manager; 2FA if available.
Low-risk throwaway signups — Let your password manager generate and store automatically; you never need to know it.
Your email account is the most critical of all — it's the recovery method for every other account, making it the master key to your digital life.
Password Generator — Frequently Asked Questions
Is it safe to generate passwords on this website?
Yes. Every password is generated entirely in your browser using crypto.getRandomValues(). No password data is ever sent to a server. You can confirm this by opening your browser's Network tab while generating — there are zero outgoing requests during password generation.
What is the difference between a password and a passphrase?
A password is a random string of characters (like xK7#mQ2p). A passphrase is several random common words joined together (like maple-frost-river-echo). Both can offer equivalent security; passphrases are significantly easier to memorize and type correctly.
How long should my password be?
At minimum, 12 characters for everyday accounts. For high-risk accounts — email, banking, and work — use 16 or more characters. Length is the most important factor; a longer password is almost always more secure than a shorter one with more character types.
What does password entropy mean?
Entropy measures unpredictability in bits. Each additional bit doubles the number of possible combinations an attacker must try. A password with 60 bits of entropy has 2⁶⁰ ≈ 1 quintillion possible values — at 10 billion guesses per second, cracking it would take thousands of years.
Should I use a password manager?
Yes — it's the single most effective change you can make to your password security. Using a unique password for every account is crucial, and a password manager is the only practical way to do that. Bitwarden is free and open-source; 1Password and the built-in browser managers are also solid choices.