Password Generator

Last Updated:

Generate cryptographically random, strong passwords instantly. Choose length and character types — one click to copy.

Generated Password

Strength
Possible Combinations

📐 Formula

Password entropy (bits) = log₂(pool_size^length). 128+ bits of entropy is considered secure.

How to Use the Password Generator

1

Set password length

Choose a length of at least 16 characters for accounts with sensitive data. The entropy (mathematical strength) increases with every added character — 16 characters is exponentially stronger than 12.

2

Select character types

Include uppercase, lowercase, numbers, and symbols for maximum entropy. Excluding symbols slightly reduces strength but may be necessary for sites with character restrictions.

3

Exclude ambiguous characters if needed

Toggle off characters that look similar (0/O, 1/l/I) if you may need to read the password aloud or type it manually. For stored passwords, ambiguous characters are fine.

4

Copy and store immediately

Copy the generated password and save it immediately to your password manager. The generator does not store generated passwords — refreshing or navigating away loses the password.

Password Strength: The Maths of Entropy

Password strength is measured in bits of entropy — the number of guesses required to crack it by brute force. Entropy (bits) = log₂(characters in set) × password length. A 12-character password using lowercase only (26 characters): log₂(26) × 12 = 4.7 × 12 = 56.4 bits. Adding uppercase, numbers, and symbols (95 characters): log₂(95) × 12 = 6.57 × 12 = 78.8 bits. At 16 characters with the full set: 105 bits. Each additional character adds ~6.5 bits; each character type expansion adds ~1–1.5 bits. Length matters more than complexity.

The Most Common Password Mistakes

Using the same password across multiple sites is the single most dangerous practice — when one site is breached, attackers use credential stuffing to try the same password on banks, email, and social media. The 2024 RockYou2024 breach exposed 10 billion credentials — a significant portion of previously reused passwords. Other high-risk patterns: adding a predictable suffix to a base word (Password1!, Password2!); keyboard patterns (qwerty, 123456); substitutions that pattern-matching software already accounts for (p@ssw0rd); and using personal information (birthdate, pet name, street). All are trivially checked by modern attack tools.

Password Managers: The Only Practical Solution

The only viable way to use unique, strong passwords on every site is a password manager. Options include Bitwarden (open-source, free), 1Password, Dashlane, and browser-built managers (Chrome, Safari, Firefox). A password manager generates, stores, and autofills strong unique passwords — you only remember one master password. The security trade-off is real but favourable: the risk of a well-secured password manager being breached is significantly lower than the risk of credential stuffing from reused passwords across dozens of sites.

How Password Entropy Is Calculated: Worked Example

Password strength is measured in bits of entropy: entropy = length × log₂(pool size), where pool size is the number of possible characters at each position.

8 characters, lowercase only (26-letter pool): 8 × log₂(26) = 8 × 4.7 = 37.6 bits — about 2³⁸ possible combinations.

8 characters, mixed case + digits (62-character pool): 8 × log₂(62) = 8 × 5.95 = 47.6 bits — roughly 2⁴⁸ combinations, already 1,000× stronger than the lowercase-only version despite the same length.

12 characters, full character set including symbols (94-character pool): 12 × log₂(94) = 12 × 6.55 = 78.7 bits — around 2⁷⁹ combinations.

At an offline cracking speed of 10 billion guesses per second (achievable with modern GPU hardware against a leaked, poorly-hashed password database), the 8-character mixed password falls in roughly 5.5 hours, while the 12-character full-charset password would take approximately 1.56 million years on average to exhaust half the keyspace. Length matters far more than complexity — each additional character multiplies the keyspace, while adding one more character type only multiplies it by a small constant factor.

What Actually Makes a Password Secure in Practice?

Why is a long passphrase often stronger than a short complex password?

A random passphrase of four unrelated words drawn from a 7,776-word list (the Diceware method) carries log₂(7776) ≈ 12.9 bits per word — four words gives about 51.6 bits, comparable to the 8-character mixed password above, but far easier for a human to memorize and type accurately. Six random words reach roughly 77.4 bits, approaching the 12-character full-charset password's strength while remaining memorable.

Why don't common substitution tricks (like "P@ssw0rd") actually help much?

Password-cracking tools maintain dictionaries specifically built around common substitutions (@ for a, 0 for o, 1 for i), meaning "P@ssw0rd" is tested almost as early as "Password" itself in a targeted attack — the entropy formula above assumes truly random character selection, and predictable substitution patterns don't add the bits of randomness the math would suggest.

Is reusing a strong password across multiple sites still dangerous?

Yes — reuse defeats even a mathematically strong password, because a single data breach at any one site exposes the password everywhere else it's used, regardless of its entropy. A password manager generating and storing a unique high-entropy password (12+ random characters or a multi-word passphrase) per site addresses both problems simultaneously: strength and non-reuse.

Frequently Asked Questions

Security experts recommend at least 16 characters for important accounts. Length is the biggest factor — a 20-character password with only lowercase letters is stronger than a 10-character password with all character types.
Yes — absolutely. If one site is breached, attackers try those credentials everywhere (credential stuffing). Use a password manager like Bitwarden (free) or 1Password to store unique passwords for every account.
Length (16+ characters), randomness (not dictionary words or patterns), character variety (upper, lower, numbers, symbols), and uniqueness (never reused). This generator creates cryptographically random passwords using the Web Crypto API.
A strong password is: at least 16 characters long, random (not based on words or personal info), unique to each account, and contains a mix of uppercase, lowercase, numbers, and symbols. A passphrase of 4–5 random words (e.g., 'correct-horse-battery-staple') is both strong and memorable. Length matters more than complexity.
Yes — security experts universally recommend password managers (1Password, Bitwarden, Dashlane). They generate and store unique random passwords for every site, autofill credentials, and alert you to breached passwords. The risk of one master password is far lower than the risk of reusing weak passwords across sites.

Sources & Methodology

Calculations are based on the most current publicly available data from authoritative government and industry sources: