🔒 Client-Side Only

🔐 Web Crypto API

🚫 Zero Tracking

Settings

Length 16

Uppercase (A-Z)

Lowercase (a-z)

Numbers (0-9)

Symbols (!@#$...)

Exclude ambiguous (0O, 1lI)

Bulk generate 1

Word count 4

Separator

Capitalize words

Add number

Length 12

Include numbers

Capitalize

Press Enter to generate · Ctrl+C to copy

Generated Password

-- 0 bits

Entropy
--
bits

Online Attack

--

1K guesses/s

Offline Attack

--

10B guesses/s

GPU Cluster

--

1T guesses/s

Uppercase: 0

Lowercase: 0

Digits: 0

Symbols: 0

Bulk Passwords

Password Strength Checker

Check an existing password

Your password never leaves your browser. Everything is analyzed locally.

How to Use This Tool

Choose one of three generation modes at the top of the page. Random Password creates a string of random characters from a pool you define. Passphrase picks words from the EFF Diceware list and joins them with a separator, making long passwords that are easy to type. Memorable generates pronounceable syllable-based passwords that are easier to recall than pure random strings.

Adjust the length, toggle character types on or off, and click Generate. The output panel updates instantly with a color-coded password, entropy calculation, and crack-time estimates for three attack scenarios.

What Makes a Strong Password?

A strong password resists automated guessing attacks. Two things determine strength: the size of the character pool and the length of the password. A 12-character password drawn from uppercase, lowercase, digits, and symbols has roughly 79 bits of entropy — enough to withstand modern offline cracking for decades.

Avoid dictionary words, keyboard patterns like "qwerty", personal information, and reusing the same password across sites. If a service is breached, an attacker who obtains your hash will try common patterns first. A truly random password forces the attacker into a brute-force search that is computationally infeasible.

Understanding Password Entropy

Entropy measures the unpredictability of a password in bits. It is calculated as log2(pool_size ^ length), which simplifies to length × log2(pool_size). A larger pool (more character types) and a longer password both increase entropy linearly.

This tool displays three crack-time estimates based on entropy: an online attack at 1,000 guesses per second (typical rate-limited web login), an offline attack at 10 billion guesses per second (a single modern GPU cracking hashes), and a GPU cluster at 1 trillion guesses per second (a well-funded adversary). Anything above 80 bits of entropy is considered excellent against all three scenarios.

Random vs. Passphrase vs. Memorable

Random passwords offer the highest entropy per character. They are ideal when a password manager stores and fills the password for you. You never need to type or remember them — the manager handles everything.

Passphrases trade density for usability. A four-word passphrase like "correct-horse-battery-staple" has around 51 bits of entropy from the EFF word list (7,776 words). Adding capitalization and a number pushes it higher. Passphrases are great for master passwords you type by hand.

Memorable passwords use consonant-vowel syllable patterns to create strings like "bopiketa" that feel word-like. They have lower entropy per character than pure random, but they are significantly easier to recall for situations where you cannot use a manager — such as a device login PIN or a Wi-Fi password you share verbally.

Frequently Asked Questions

Is this generator secure?

Yes. All passwords are generated using the crypto.getRandomValues() API built into your browser, which is a cryptographically secure pseudo-random number generator (CSPRNG). No password ever leaves your device — there are no network requests, no server-side processing, and no analytics on the generated output.

What is modulo bias and how do you prevent it?

When you use a random number to pick from a set whose size does not evenly divide the random range, some values become slightly more likely. This tool uses rejection sampling: if the random value falls in the biased zone, it is discarded and a new value is drawn. This guarantees a perfectly uniform distribution.

How many characters should my password have?

For random passwords with all character types, 16 characters (about 105 bits of entropy) is a strong default. For passphrases, four to six words provide a good balance of security and usability. Anything above 80 bits of entropy is considered strong against offline attacks.

Should I use a password manager?

Absolutely. A password manager lets you use unique, high-entropy passwords for every account without remembering them. Use this generator to create your master password (a strong passphrase works well), and let the manager handle everything else.

Can I generate passwords in bulk?

Yes. In Random mode, move the "Bulk generate" slider to generate up to 20 passwords at once. You can copy them individually or all at once.

Read the story behind this tool: Why I Built a Password Generator When Hundreds Already Exist