Password Generator
Last Updated:
Generate cryptographically random, strong passwords instantly. Choose length and character types — one click to copy.
Generated Password
📐 Formula
Password entropy (bits) = log₂(pool_size^length). 128+ bits of entropy is considered secure.
How to Use the Password Generator
Set password length
Choose a length of at least 16 characters for accounts with sensitive data. The entropy (mathematical strength) increases with every added character — 16 characters is exponentially stronger than 12.
Select character types
Include uppercase, lowercase, numbers, and symbols for maximum entropy. Excluding symbols slightly reduces strength but may be necessary for sites with character restrictions.
Exclude ambiguous characters if needed
Toggle off characters that look similar (0/O, 1/l/I) if you may need to read the password aloud or type it manually. For stored passwords, ambiguous characters are fine.
Copy and store immediately
Copy the generated password and save it immediately to your password manager. The generator does not store generated passwords — refreshing or navigating away loses the password.
Password Strength: The Maths of Entropy
Password strength is measured in bits of entropy — the number of guesses required to crack it by brute force. Entropy (bits) = log₂(characters in set) × password length. A 12-character password using lowercase only (26 characters): log₂(26) × 12 = 4.7 × 12 = 56.4 bits. Adding uppercase, numbers, and symbols (95 characters): log₂(95) × 12 = 6.57 × 12 = 78.8 bits. At 16 characters with the full set: 105 bits. Each additional character adds ~6.5 bits; each character type expansion adds ~1–1.5 bits. Length matters more than complexity.
The Most Common Password Mistakes
Using the same password across multiple sites is the single most dangerous practice — when one site is breached, attackers use credential stuffing to try the same password on banks, email, and social media. The 2024 RockYou2024 breach exposed 10 billion credentials — a significant portion of previously reused passwords. Other high-risk patterns: adding a predictable suffix to a base word (Password1!, Password2!); keyboard patterns (qwerty, 123456); substitutions that pattern-matching software already accounts for (p@ssw0rd); and using personal information (birthdate, pet name, street). All are trivially checked by modern attack tools.
Password Managers: The Only Practical Solution
The only viable way to use unique, strong passwords on every site is a password manager. Options include Bitwarden (open-source, free), 1Password, Dashlane, and browser-built managers (Chrome, Safari, Firefox). A password manager generates, stores, and autofills strong unique passwords — you only remember one master password. The security trade-off is real but favourable: the risk of a well-secured password manager being breached is significantly lower than the risk of credential stuffing from reused passwords across dozens of sites.
How Password Entropy Is Calculated: Worked Example
Password strength is measured in bits of entropy: entropy = length × log₂(pool size), where pool size is the number of possible characters at each position.
8 characters, lowercase only (26-letter pool): 8 × log₂(26) = 8 × 4.7 = 37.6 bits — about 2³⁸ possible combinations.
8 characters, mixed case + digits (62-character pool): 8 × log₂(62) = 8 × 5.95 = 47.6 bits — roughly 2⁴⁸ combinations, already 1,000× stronger than the lowercase-only version despite the same length.
12 characters, full character set including symbols (94-character pool): 12 × log₂(94) = 12 × 6.55 = 78.7 bits — around 2⁷⁹ combinations.
At an offline cracking speed of 10 billion guesses per second (achievable with modern GPU hardware against a leaked, poorly-hashed password database), the 8-character mixed password falls in roughly 5.5 hours, while the 12-character full-charset password would take approximately 1.56 million years on average to exhaust half the keyspace. Length matters far more than complexity — each additional character multiplies the keyspace, while adding one more character type only multiplies it by a small constant factor.
What Actually Makes a Password Secure in Practice?
Why is a long passphrase often stronger than a short complex password?
A random passphrase of four unrelated words drawn from a 7,776-word list (the Diceware method) carries log₂(7776) ≈ 12.9 bits per word — four words gives about 51.6 bits, comparable to the 8-character mixed password above, but far easier for a human to memorize and type accurately. Six random words reach roughly 77.4 bits, approaching the 12-character full-charset password's strength while remaining memorable.
Why don't common substitution tricks (like "P@ssw0rd") actually help much?
Password-cracking tools maintain dictionaries specifically built around common substitutions (@ for a, 0 for o, 1 for i), meaning "P@ssw0rd" is tested almost as early as "Password" itself in a targeted attack — the entropy formula above assumes truly random character selection, and predictable substitution patterns don't add the bits of randomness the math would suggest.
Is reusing a strong password across multiple sites still dangerous?
Yes — reuse defeats even a mathematically strong password, because a single data breach at any one site exposes the password everywhere else it's used, regardless of its entropy. A password manager generating and storing a unique high-entropy password (12+ random characters or a multi-word passphrase) per site addresses both problems simultaneously: strength and non-reuse.
Frequently Asked Questions
Sources & Methodology
Calculations are based on the most current publicly available data from authoritative government and industry sources: