Password Generator

With modern GPU clusters capable of testing over 100 billion hashes per second against fast algorithms like MD5, an 8-character password using all character types can be cracked in under a day. A 12-character password of the same complexity would take roughly 170,000 years at that rate, and 16 characters pushes the estimate to over 18 quadrillion years. NIST SP 800-63B recommends a minimum of 8 characters but security practitioners widely advocate for 16 or more characters in 2026. For password manager master passwords and critical accounts, 20 or more characters provides an excellent safety margin against both current and foreseeable advances in computing power.

It depends on how the words are chosen. A four-word Diceware passphrase drawn from a 7,776-word list provides roughly 51.7 bits of entropy, equivalent to a 7-character random password using all 95 printable characters. For comparable strength to a 16-character random password (about 105 bits of entropy), you would need an 8-word passphrase. The advantage of passphrases is memorability, which reduces the temptation to reuse them. However, the words must be chosen randomly using dice or a generator, not selected by a human, because natural language patterns drastically reduce entropy. Self-composed phrases like "ilovemydog2024" are trivially cracked by dictionary attacks.

This tool uses crypto.getRandomValues(), the Web Crypto API built into all modern browsers. Unlike Math.random(), which uses a deterministic pseudo-random number generator that can be predicted if the internal state is known, the Web Crypto API draws entropy from the operating system's cryptographic random number generator (such as /dev/urandom on Linux or CryptGenRandom on Windows). This is the same randomness source used by TLS handshakes and SSH key generation. Additionally, the generator uses rejection sampling to eliminate modulo bias, ensuring each character in the pool has an exactly equal probability of being selected.

Including symbols expands the character pool from 62 (letters and digits) to 95 (all printable ASCII), increasing entropy per character from 5.95 to 6.57 bits. However, some services restrict which symbols are allowed, limit password length, or have input validation bugs that reject certain characters like backslashes or angle brackets. If a service rejects your password, try disabling symbols and increasing the length by 3 to 4 characters to compensate. A 20-character alphanumeric password (119 bits of entropy) is stronger than a 16-character password with symbols (105 bits), so length can always substitute for character diversity.

Use a dedicated password manager like Bitwarden, 1Password, or KeePass. These tools store your credentials in an AES-256 encrypted vault that is unlocked by a single master password. Never store passwords in plain text files, browser autofill without a master password, sticky notes, or unencrypted spreadsheets. After generating a password with this tool, copy it directly into your password manager's entry for the corresponding account. The session history shown on this page exists only in browser memory and is erased when you close the tab, so do not rely on it for long-term storage.

Credential stuffing is the most common attack vector for account takeovers. When a service is breached, attackers extract username-password pairs and automatically test them against hundreds of other services within hours. If you reuse a password, a breach at a low-security forum can cascade to your email, banking, and cloud storage accounts. Data from Have I Been Pwned shows that over 12 billion credentials have been exposed in known breaches. A unique password for every account ensures that a single breach is contained to that one service, limiting your exposure to the compromised account alone.