Strong, secure passwords — generated locally in your browser
A strong password has three properties: it is long, it uses a large character set, and it is unpredictable. Each of these multiplies the number of guesses an attacker needs to crack it.
Length is the single most important factor. Adding one character to a password multiplies the cracking time by the size of the character set — roughly 26× for lowercase-only, 62× for mixed alphanumeric, and 95× for full printable ASCII. Going from 12 to 16 characters makes a password billions of times harder to crack.
Predictability is the second failure mode. Passwords like P@ssw0rd or Summer2024! feel complex but appear in every attacker's dictionary. True strength requires randomness — which is why this tool uses your browser's cryptographic random number generator rather than a predictable algorithm.
Entropy, measured in bits, is the mathematical measure of password unpredictability. Each additional bit doubles the number of possible combinations. The formula is: entropy = length × log₂(character set size).
| Password type | Char set | 12 chars | 16 chars | 20 chars |
|---|---|---|---|---|
| Lowercase only | 26 | 56 bits | 75 bits | 94 bits |
| Mixed case + numbers | 62 | 71 bits | 95 bits | 119 bits |
| Full printable ASCII | 95 | 79 bits | 105 bits | 131 bits |
Security researchers generally consider 60 bits the practical minimum for a secure password, 80 bits strong, and 100+ bits extremely strong. At 100 bits of entropy, cracking the password would take longer than the age of the universe even with the most powerful hardware available today.
A random character password like kX#7mQpL9vRn is compact and very strong for its length, but nearly impossible to memorize. It's the right choice when you're storing it in a password manager and will never need to type it manually.
A memorable password — several random words joined together like solar-drift-noble-482 — is easier to type and remember. Enable the Memorable toggle above to generate passwords in this format. Three or four random words with a number gives reasonable entropy and is far stronger than any human-chosen phrase.
The critical word in both cases is random. A phrase you chose yourself (ilovemydog2015) is not a passphrase — it's a weak password that appears in dictionary attack lists. True strength comes from random selection, which is exactly what this generator provides.
When a website is breached, attackers obtain lists of email addresses and passwords. They then run automated software that tries those same pairs against hundreds of other sites — banks, email providers, shopping sites, social networks. This is called credential stuffing, and it works because most people reuse passwords.
It's not hacking in the dramatic sense — it's simply trying known passwords at scale. If your password for a breached forum is the same as your banking password, both accounts are now compromised.
The only defence is a unique password on every site. You can check whether your email has appeared in known breaches at haveibeenpwned.com.
This password generator uses crypto.getRandomValues() — the Web Cryptography API built into all modern browsers — to produce cryptographically secure random passwords. No passwords are sent to any server or stored anywhere. The strength meter calculates entropy based on the detected character pool and password length. Memorable mode uses a curated word list with a random separator and three-digit number suffix.