Password Generator
Generate strong, secure passwords with customisable length and character options. Uses cryptographically secure randomisation.
Character Sets
Entropy: 103 bits
What Makes a Password Actually Strong
NIST's 2024 password guidance flipped decades of conventional wisdom: length matters far more than character complexity. A 16-character lowercase passphrase resists brute-force attacks better than an 8-character password with mixed cases, numbers and symbols. The Password Generator builds passwords from cryptographically secure randomness (Web Crypto API rather than Math.random), which is the difference between a password that's truly unguessable and one that has subtle patterns an attacker can exploit.
The actual numbers: a 12-character password with a 94-character set has 4.7 x 10^23 possible values, which a billion-attempt-per-second offline attack would take 14,000 years to exhaust. A 16-character lowercase-only password (26 characters) has 4.4 x 10^22 possibilities, also effectively unbreakable. Both are fine; both are vastly stronger than any password under 10 characters regardless of complexity.
Password Strength by Length and Character Set
| Length | Character Set | Possibilities | Brute-Force Time |
|---|---|---|---|
| 8 | Lowercase + numbers (36) | 2.8 x 10^12 | 47 minutes |
| 8 | All printable (94) | 6.1 x 10^15 | 70 days |
| 12 | Lowercase + numbers (36) | 4.7 x 10^18 | 150 years |
| 12 | All printable (94) | 4.7 x 10^23 | 14,000 years |
| 16 | Lowercase only (26) | 4.4 x 10^22 | 1,400 years |
| 16 | All printable (94) | 3.7 x 10^31 | 1.2 x 10^15 years |
Use a Password Manager, Not Your Memory
The reason NIST stopped recommending mandatory complexity rules is that they push users into reusing passwords (because complex passwords are hard to remember). The modern answer: a password manager (Bitwarden, 1Password, KeePassXC) generates and stores a unique 16+ character password for every site, and you only memorise the master password. The Password Generator is for the master password and for passwords you must enter manually (Wi-Fi keys, server logins, anything not in the manager).
Pair this with the [QR Code Generator](/qr-code-generator) if you need to share a Wi-Fi password as a printable QR code, and the [Robots.txt Generator](/robots-txt-generator) if you're hardening a site's server-side configuration alongside its access controls. Always enable two-factor authentication on accounts that support it; even a leaked password is useless without the second factor.
Frequently Asked Questions
How long should a password be?
12 characters minimum for general accounts, 16 or more for important accounts (email, banking, password manager master), 20+ for crypto wallets and high-value accounts. NIST's 2024 guidance allows passwords up to 64 characters and recommends length over complexity. A 16-character lowercase passphrase is stronger than a 10-character mix of cases, digits and symbols.
Are passwords with symbols stronger than letters and numbers?
Marginally, but length matters more. A 16-character lowercase password (26 character set) has more entropy than a 10-character all-printable-character password (94 character set). The reason complexity rules survived as long as they did is they made 8-character passwords slightly harder; the modern fix is just to make passwords longer.
What's the difference between Math.random and crypto.getRandomValues?
Math.random is a pseudo-random number generator that's not cryptographically secure: outputs follow patterns that an attacker can model. crypto.getRandomValues (Web Crypto API) produces cryptographically secure random bytes suitable for password generation, encryption keys and tokens. The Password Generator uses crypto.getRandomValues exclusively.
Should I include similar-looking characters?
Excluding similar characters (0/O, 1/l/I) makes passwords easier to read aloud or copy from a screen, at the cost of slightly less entropy. For a 16-character password the entropy reduction is about 5%, which is negligible. For passwords you'll dictate over the phone or read from a printed sheet, exclude similar characters; for passwords stored in a password manager and never seen again, include them.
Is it safe to generate passwords in a browser?
Yes, the Password Generator runs entirely client-side using crypto.getRandomValues. The generated password never leaves your device or hits any server. You can verify this by opening the browser's network tab and confirming there are no requests when you click 'Generate'. For maximum paranoia, generate passwords offline using a password manager's built-in generator.
Related Tools
QR Code Generator
Generate QR codes for website URLs and plain text. Download as PNG or SVG with custom colours. Free, instant, no sign-up required.
Robots.txt Generator
Build a robots.txt file visually with rules for different bots. Quick presets for common configurations including AI crawler blocking
UUID Generator
Generate random UUID v4 identifiers. Bulk generation up to 100, with options for uppercase and with or without hyphens