Password Generator

Last Updated: June 2026

Generate cryptographically random, strong passwords instantly. Choose length and character types — one click to copy.

Password Length: 16 characters

Character Types

Uppercase (A–Z) Lowercase (a–z) Numbers (0–9) Symbols (!@#$%)

Generated Password

Strength—

Possible Combinations—

📐 Formula

Password entropy (bits) = log₂(pool_size^length). 128+ bits of entropy is considered secure.

How to Use the Password Generator

Set password length

Choose a length of at least 16 characters for accounts with sensitive data. The entropy (mathematical strength) increases with every added character — 16 characters is exponentially stronger than 12.

Select character types

Include uppercase, lowercase, numbers, and symbols for maximum entropy. Excluding symbols slightly reduces strength but may be necessary for sites with character restrictions.

Exclude ambiguous characters if needed

Toggle off characters that look similar (0/O, 1/l/I) if you may need to read the password aloud or type it manually. For stored passwords, ambiguous characters are fine.

Copy and store immediately

Copy the generated password and save it immediately to your password manager. The generator does not store generated passwords — refreshing or navigating away loses the password.

Password Strength: The Maths of Entropy

Password strength is measured in bits of entropy — the number of guesses required to crack it by brute force. Entropy (bits) = log₂(characters in set) × password length. A 12-character password using lowercase only (26 characters): log₂(26) × 12 = 4.7 × 12 = 56.4 bits. Adding uppercase, numbers, and symbols (95 characters): log₂(95) × 12 = 6.57 × 12 = 78.8 bits. At 16 characters with the full set: 105 bits. Each additional character adds ~6.5 bits; each character type expansion adds ~1–1.5 bits. Length matters more than complexity.

The Most Common Password Mistakes

Using the same password across multiple sites is the single most dangerous practice — when one site is breached, attackers use credential stuffing to try the same password on banks, email, and social media. The 2024 RockYou2024 breach exposed 10 billion credentials — a significant portion of previously reused passwords. Other high-risk patterns: adding a predictable suffix to a base word (Password1!, Password2!); keyboard patterns (qwerty, 123456); substitutions that pattern-matching software already accounts for (p@ssw0rd); and using personal information (birthdate, pet name, street). All are trivially checked by modern attack tools.

Password Managers: The Only Practical Solution

The only viable way to use unique, strong passwords on every site is a password manager. Options include Bitwarden (open-source, free), 1Password, Dashlane, and browser-built managers (Chrome, Safari, Firefox). A password manager generates, stores, and autofills strong unique passwords — you only remember one master password. The security trade-off is real but favourable: the risk of a well-secured password manager being breached is significantly lower than the risk of credential stuffing from reused passwords across dozens of sites.

Sources & Methodology

Calculations are based on the most current publicly available data from authoritative government and industry sources:

Frequently Asked Questions

Q.How long should a password be?▼

Security experts recommend at least 16 characters for important accounts. Length is the biggest factor — a 20-character password with only lowercase letters is stronger than a 10-character password with all character types.

Q.Should I use a different password for every site?▼

Yes — absolutely. If one site is breached, attackers try those credentials everywhere (credential stuffing). Use a password manager like Bitwarden (free) or 1Password to store unique passwords for every account.

Q.What makes a password strong?▼

Length (16+ characters), randomness (not dictionary words or patterns), character variety (upper, lower, numbers, symbols), and uniqueness (never reused). This generator creates cryptographically random passwords using the Web Crypto API.

Q.What makes a strong password in 2026?▼

A strong password is: at least 16 characters long, random (not based on words or personal info), unique to each account, and contains a mix of uppercase, lowercase, numbers, and symbols. A passphrase of 4–5 random words (e.g., 'correct-horse-battery-staple') is both strong and memorable. Length matters more than complexity.

Q.Should I use a password manager?▼

Yes — security experts universally recommend password managers (1Password, Bitwarden, Dashlane). They generate and store unique random passwords for every site, autofill credentials, and alert you to breached passwords. The risk of one master password is far lower than the risk of reusing weak passwords across sites.