Password Generator

How are passwords generated?

This tool generates passwords using your browser's crypto.getRandomValues() API — the same cryptographic random number generator used in TLS, HTTPS, and security software worldwide. Each character is selected independently with uniform probability from the enabled character sets. Your passwords are generated locally and never transmitted to any server.

Unlike pseudorandom generators (like Math.random() in JavaScript), cryptographic random number generators draw entropy from hardware sources — mouse movements, keyboard timing, disk I/O, and dedicated hardware random number generators. This ensures that generated passwords are truly unpredictable, even to an attacker who knows the algorithm.

How long should a password be?

• 12 characters: The minimum acceptable length for most online accounts. Provides approximately 71 bits of entropy with all character types enabled.
• 16 characters: Recommended for email, banking, and financial accounts. Provides approximately 95 bits of entropy.
• 20+ characters: Best for admin accounts, SSH keys, encryption keys, and password manager master passwords. Provides 119+ bits of entropy.

What makes a password strong?

Password strength is measured by entropy — the number of possible combinations an attacker must try. Length is the single most important factor. A 16-character password using all four character sets (uppercase, lowercase, digits, symbols) has roughly 10⁴² possible combinations. At one trillion guesses per second, brute-forcing it would take billions of years.

Adding character variety increases entropy per character. Lowercase letters alone give 26 options per position. Adding uppercase doubles it to 52. Adding digits reaches 62. Including symbols pushes it to 90+ options per character. But length always trumps complexity — a 20-character lowercase password is stronger than an 8-character password with all character types.

Should I use a password manager?

Absolutely. Generate a unique, strong password for every account using this tool, then store them all in a reputable password manager like Bitwarden, 1Password, or KeePass. A password manager means you only need to remember one strong master password. Never reuse passwords across sites — when one site gets breached, attackers try those credentials everywhere.

Common password mistakes

The most dangerous mistake is reusing passwords across multiple sites. Data breaches expose millions of credentials regularly, and attackers use automated tools to test stolen passwords against other services. Other common mistakes include using personal information (birthdays, pet names), using dictionary words with simple substitutions (p@ssw0rd), and writing passwords on sticky notes.

Frequently asked questions

Is this password generator truly random?

Yes. It uses the Web Crypto API (crypto.getRandomValues()), which is a cryptographically secure random number generator built into your browser. This is the same quality of randomness used to generate TLS session keys that protect your online banking.

How often should I change my passwords?

Current security guidance from NIST (National Institute of Standards and Technology) recommends against routine password rotation. Change your password only when you suspect it has been compromised, when a service reports a data breach, or when you want to upgrade a weak legacy password to a stronger one.