Password Generator & Strength Checker

Generate cryptographically secure passwords and check their strength. Uses Web Crypto API.

Options
Generated Passwords
Check Your Own Password
Configure options and click "Generate Passwords" to create secure passwords.

How to Use the Password Generator

  1. Set the length — use the slider to choose password length from 8 to 128 characters. 16+ is recommended.
  2. Select character types — enable uppercase, lowercase, digits, and symbols. More types mean higher entropy.
  3. Optionally exclude characters — remove ambiguous characters (0, O, l, 1, I) or specific characters that might cause issues in certain systems.
  4. Generate — click the button to create up to 20 passwords at once. Click any password to copy it.
  5. Check strength — the strength meter shows entropy, crack time, and a strength rating for each generated password.

Why Strong Passwords Matter

Weak passwords are the most common cause of account breaches. Attackers use automated tools to try billions of password combinations per second. A short or predictable password can be cracked in seconds, while a long, random password with mixed character types can take billions of years to brute-force even with the most powerful hardware.

Understanding Password Entropy

Entropy is a measure of randomness or unpredictability. For passwords, entropy is calculated as log2(charset_size ^ length). For example, a 16-character password using uppercase, lowercase, digits, and symbols (94 possible characters) has log2(94^16) = 105 bits of entropy. As a general guideline:

  • Below 40 bits — Weak. Can be cracked in seconds to minutes.
  • 40-60 bits — Fair. Might resist casual attacks but vulnerable to determined attackers.
  • 60-80 bits — Good. Resistant to most brute-force attacks.
  • 80-100 bits — Strong. Would take many years to crack with current hardware.
  • 100+ bits — Very strong. Effectively uncrackable by brute force.

Cryptographic Security

This tool uses crypto.getRandomValues(), the Web Crypto API's cryptographically secure random number generator. Unlike Math.random(), which uses a predictable pseudo-random algorithm, crypto.getRandomValues() draws from your operating system's entropy pool, making the output truly unpredictable and suitable for security-sensitive applications.

Password Best Practices

  • Use a password manager — store unique passwords for every account
  • Never reuse passwords — one breach exposes all accounts with the same password
  • Enable two-factor authentication — adds a second layer even if your password is compromised
  • Avoid personal information — names, dates, and dictionary words are easily guessed
  • Longer is better — length contributes more to entropy than complexity

How Crack Time Is Calculated

The crack time estimate assumes a brute-force attack at 10 billion guesses per second, which represents a realistic capability for a well-funded attacker using modern GPU clusters. The total keyspace is calculated as charset_size ^ password_length, and the average time to crack is half the time to exhaust the entire keyspace. For a 16-character password using the full 94-character printable ASCII set, the keyspace is approximately 3.7 x 10^31 — far beyond what any brute-force attack can feasibly cover.

Excluding Ambiguous Characters

Some characters look nearly identical in certain fonts, which can cause problems when passwords need to be manually typed or read aloud. The ambiguous character exclusion removes 0 (zero) vs O (uppercase O), l (lowercase L) vs 1 (one) vs I (uppercase I). This is especially useful for shared passwords, temporary access codes, or any situation where the password might be communicated verbally or displayed in a font where these characters are hard to distinguish. For related security and encoding tools, generate checksums with our Hash Generator, create unique identifiers with the UUID Generator, or encode values with the Base64 Encoder.

Frequently Asked Questions

This generator uses the Web Crypto API (crypto.getRandomValues) to generate cryptographically secure random numbers. These numbers are used to randomly select characters from your chosen character set. The entire process happens in your browser — no passwords are ever sent to a server.
Entropy measures the randomness of a password in bits. It is calculated as log2(charset_size ^ length). Higher entropy means a stronger password. A password with 80+ bits of entropy is considered strong, while 128+ bits is very strong.
For most accounts, 16 characters with mixed character types provides excellent security (80+ bits of entropy). For high-security accounts like email and banking, 20+ characters is recommended. Password managers can easily handle long passwords, so there is little reason not to use 20+ characters.
No. The password is generated entirely in your browser using the Web Crypto API. It is never sent to any server, stored in any database, or logged anywhere. Once you leave or refresh the page, the generated passwords are gone.
The crack time estimate shows how long it would take an attacker to brute-force your password assuming 10 billion guesses per second (a realistic estimate for modern GPU clusters). This is a worst-case scenario assuming the attacker knows your character set and password length.