Password Generator
Generate strong, random passwords with custom rules. Runs entirely in your browser — nothing is stored or sent anywhere.
How Strong Passwords Work
Password strength comes from randomness and length. Every character you add multiplies the total number of possible combinations, making the password exponentially harder to crack through brute force — trying every possible combination.
Entropy: Measuring Password Strength
Entropy is a measure of randomness, expressed in bits. Higher entropy means a password is harder to guess. The formula depends on the pool size (number of possible characters) and the password length.
Pool sizes: lowercase (26) · + uppercase (52) · + digits (62) · + symbols (~95)
Entropy = 16 × log₂(95) = 16 × 6.57 = ~105 bits
This would take trillions of years to brute-force.
Crack Time Estimates
Here's how long different passwords would take to crack by brute force, assuming 100 billion guesses per second (a high-end attack scenario).
| Password Type | Length | Crack Time |
|---|---|---|
| Lowercase only | 8 chars | ~2 seconds |
| Mixed case + numbers | 8 chars | ~1 hour |
| All character types | 12 chars | ~7 million years |
| All character types | 16 chars | ~240 trillion years |
| All character types | 20 chars | ~8.6 × 10²⁴ years |
Best Practices
Use at least 12 characters (16+ recommended). Include all four character types: uppercase, lowercase, numbers, and symbols. Never reuse passwords across accounts — if one site is breached, all shared passwords are compromised. Use a password manager like Bitwarden, 1Password, or KeePass to store unique passwords for every service.
What This Generator Uses
This tool uses the Web Crypto API (crypto.getRandomValues), a cryptographically secure random number generator built into every modern browser. Unlike Math.random(), which is predictable, the Crypto API produces truly random values suitable for security-sensitive applications. Your password is generated entirely on your device and never leaves your browser.
Frequently Asked Questions
It uses the Web Crypto API built into your browser to generate cryptographically secure random characters. Your password is created entirely on your device — nothing is sent to any server or stored anywhere.
Length and randomness. At least 12 characters with a mix of uppercase, lowercase, numbers, and symbols. Avoid dictionary words, personal info, and common patterns like "123" or "abc".
No. Everything runs in your browser via JavaScript. Nothing is sent to a server, logged, or stored in any database. When you close the page, the password only exists where you saved it.
At minimum 12 characters, ideally 16+. Each additional character multiplies the number of possible combinations exponentially, making brute-force attacks infeasible.
Absolutely. Reusing passwords means one breach compromises all accounts using that password. Use a password manager to handle unique passwords for each service.
No. Math.random() is a pseudo-random number generator — its output is predictable. This tool uses the Web Crypto API (crypto.getRandomValues), which provides cryptographically secure randomness suitable for password generation.