Generate cryptographically strong passwords using your browser's secure random number generator. Passwords are never sent to any server.
In an era of widespread data breaches, reused credentials, and sophisticated phishing attacks, password security is more important than ever. Understanding what makes a password strong — and why — helps you make better security decisions across all your accounts.
Password strength is primarily determined by two factors: length and character variety. These two properties combine to determine the total number of possible password combinations — called the search space. A larger search space means an attacker must attempt more guesses to crack your password.
The mathematical measure of this unpredictability is called entropy, measured in bits:
For example, a 16-character password using all four character types (uppercase, lowercase, numbers, symbols — a charset of 95 characters) has approximately 16 × log₂(95) ≈ 105 bits of entropy. At 10 billion guesses per second, cracking it would take longer than the age of the universe.
Many people think a short but complex password like "P@ssw0rd" is secure. It's not. At 8 characters, even using all character types, there are only about 95⁸ ≈ 6.6 trillion combinations — which a modern GPU can brute-force in under 10 minutes. Meanwhile, a 20-character lowercase-only password has 26²⁰ ≈ 1.96 × 10²⁸ combinations, which would take billions of years.
The exponential nature of the math means each additional character multiplies the search space by the charset size. Adding one character to a 95-charset password multiplies the difficulty by 95x. This is why security experts consistently recommend length above all else.
A passphrase is a sequence of random words, popularized by the famous xkcd comic "correct horse battery staple." Four random common English words drawn from a 2,000-word list give you log₂(2000⁴) ≈ 44 bits of entropy — weaker than a good random password but far easier to remember.
For accounts you type manually and frequently, passphrases are an excellent choice. For accounts managed by a password manager (which is most accounts), use the longest fully random password the site allows.
Key distinction: the words must be truly random (dice rolls or a generator, not chosen by you). Human-chosen "random" words are highly predictable — dictionary attacks exploit this ruthlessly.
This generator uses the browser's crypto.getRandomValues() API rather than Math.random(). The difference is critical: Math.random() is a pseudorandom number generator (PRNG) seeded from predictable values like the current timestamp. An attacker who knows approximately when your password was generated can dramatically narrow the search space. crypto.getRandomValues() uses the operating system's cryptographically secure entropy source, which is seeded from hardware noise — truly unpredictable.
Characters like uppercase O and zero (0), lowercase l and number 1, and uppercase I can be visually indistinguishable depending on the font. If you ever need to read or type a password manually — for example, on a smart TV or shared device — excluding these characters eliminates transcription errors. The security tradeoff is minor: removing 5–6 characters from a 95-character set reduces entropy by less than 0.1 bits per character.
The only secure way to use unique, long, complex passwords on every site is a password manager. Without one, humans inevitably reuse passwords — and password reuse is one of the leading causes of account takeovers via credential stuffing attacks, where leaked credentials from one breach are tried against hundreds of other sites.
The crack time shown by this tool assumes an offline brute-force attack at 10 billion (10¹⁰) guesses per second — achievable with a cluster of modern GPUs attacking an MD5 or bcrypt hash. Real-world attack speed varies enormously: bcrypt with high cost factors can reduce this to thousands of guesses per second, while unsalted MD5 hashes can be attacked at hundreds of billions per second. Use the crack time estimate as a relative measure, not an absolute guarantee.
Online attacks (against a live login form) are rate-limited and typically reach only 10–1,000 guesses per second. Even a weak 8-character password is practically immune to online attacks with proper lockout policies. The real risk is offline cracking after a breach.