Password Generator

Strong random passwords generated with your browser's cryptographic randomness — never sent anywhere, not even to us.

Strength
Entropy
Combinations

What makes a password strong

Only two things: length and true randomness. Every added character multiplies the search space; every human "pattern" (words, dates, keyboard walks, s@bstitutions) collapses it. Modern cracking rigs test billions of guesses per second against stolen password databases — but a random 16-character mixed password has ~1031 combinations, putting it beyond any practical attack.

The rules that actually matter

  • Unique per site. Reuse is the #1 cause of account takeovers: one breached site unlocks the rest ("credential stuffing"). A password manager makes uniqueness effortless.
  • 16+ characters for anything important; 12 is the bare floor.
  • Turn on two-factor authentication for email and banking — it saves you even when a password leaks.
  • Your email account outranks everything — it can reset all other passwords. Give it your strongest protection.

Random string vs. passphrase

Both work when random: "correct horse battery staple"-style passphrases (4–5 truly random words) are easier to type on a TV or memorize for a master password; random strings are denser (shorter for the same strength) and belong in a password manager. Use passphrases for the few you must remember, generated strings for everything else.

Frequently asked questions

Is it safe to generate a password on a website?
On this one, yes: generation uses your browser's crypto.getRandomValues() and never leaves your device — you can verify by loading the page, going offline, and generating. Still, for ongoing use, a dedicated password manager is the best home for your passwords.
What does the entropy number mean?
Bits of randomness: each bit doubles the combinations an attacker must try. 60+ bits resists online attacks; 80+ resists offline cracking of properly stored passwords; 100+ is overkill that costs you nothing when a manager does the typing.
Should I avoid symbols because some sites reject them?
Generate with symbols by default; if a site rejects the password, regenerate with symbols off and add length to compensate — 20 characters of letters+digits beats 14 with symbols.
How often should I change passwords?
Current guidance (NIST): don't rotate on a schedule — change immediately when a service reports a breach or you see suspicious activity. Forced rotation breeds weaker, patterned passwords.