Password Generator — Create Strong Random Passwords Instantly

Generate passwords that are actually hard to crack. Pick your length, choose your character types, and get a cryptographically random result in one click. Everything happens in your browser — we never see your passwords.

Password Settings

Configure your password requirements

Password Length: 16

864

Uppercase Letters (A-Z)

Lowercase Letters (a-z)

Numbers (0-9)

Symbols (!@#$%^&*)

Generated Password

Your secure password

Password

Strength:

Tip: Use at least 16 characters with a mix of uppercase, lowercase, numbers, and symbols for maximum security.

How Password Security Actually Works

Password strength comes down to one thing: entropy — the number of possible combinations an attacker has to try. A 12-character password using lowercase only has about 56 bits of entropy (26^12 combinations). Add uppercase, numbers, and symbols, and that same 12 characters jumps to ~79 bits (95^12). That's the difference between crackable in hours and crackable in centuries.

The math is simple: entropy = length × log2(character pool size). A 16-character password with the full 95-character ASCII set gives you ~105 bits of entropy. For reference, Bitcoin private keys use 256 bits. Your Netflix password doesn't need to be that strong, but your master password should be at least 80+ bits.

NIST Special Publication 800-63B (the US government's digital identity guidelines, last updated 2024) dropped the old "change every 90 days" advice. Their current recommendation: make passwords long (minimum 8, prefer 15+), don't force arbitrary complexity rules, and check against known breached password lists. Length beats complexity every time.

How to Use

Set your length — 16 characters is a good default for most accounts.
Toggle character types on/off. Leave all four on unless a site has weird restrictions.
Hit Generate. The password is created using crypto.getRandomValues() — not Math.random().
Copy it and store it in your password manager. Don't try to memorize random passwords.

When You'll Use This

Setting up a new account

Generate a unique 16-20 character password, paste it into the signup form, and save it in your password manager. Takes 10 seconds and you never have to think about it again.

Creating API keys and tokens

Need a random string for an API secret, webhook signing key, or JWT secret? Generate a 32-64 character string with all character types. It's not technically a "password" but the generation method is the same.

WiFi password for guests

Generate a 10-12 character password without ambiguous characters (no 0/O, 1/l/I) so people can actually type it from a printed card on your router.

Replacing a breached password

Got a "your password appeared in a data breach" notification from HaveIBeenPwned or your browser? Generate a replacement immediately. Don't just add a "2" at the end of the old one.

What Actually Matters for Password Security

Length > complexity, always

"Tr0ub4dor&3" (11 chars, looks complex) has about 28 bits of entropy because it's based on a dictionary word with predictable substitutions. "correct horse battery staple" (28 chars, all lowercase) has ~44 bits. A random 16-char string with all character types? ~105 bits. Don't confuse "hard to remember" with "hard to crack."

Use a password manager — seriously

If you're generating random passwords (and you should be), you can't memorize them. Use 1Password, Bitwarden, or KeePass. Your master password is the ONE password you memorize — make it a long passphrase (5+ random words).

Never reuse passwords across sites

When LinkedIn gets breached (it did, 117 million passwords leaked in 2012), attackers try those credentials on every other site. If your LinkedIn password was also your Gmail password, you just lost your email. Unique passwords per site is non-negotiable.

Enable 2FA on anything important

Even a perfect password can be phished. Two-factor authentication (TOTP apps like Authy, or hardware keys like YubiKey) means a stolen password alone isn't enough. Enable it on email, banking, and cloud accounts at minimum.

Example Outputs

Standard strong password (16 chars, all types)

Good for most online accounts. ~105 bits of entropy.

Input

Length: 16, Uppercase: ✓, Lowercase: ✓, Numbers: ✓, Symbols: ✓

Output

k7#Qm9$vLx2&pN4w

WiFi-friendly password (12 chars, no ambiguous)

Easy to read and type from a printed card. Excludes 0/O/l/1/I.

Input

Length: 12, Uppercase: ✓, Lowercase: ✓, Numbers: ✓, Symbols: ✗, Exclude ambiguous: ✓

Output

Kx7mR4nP9wBt

Features

Uses crypto.getRandomValues() — not Math.random() (which is predictable)
Adjustable length from 8 to 64 characters
Toggle uppercase, lowercase, numbers, symbols independently
Strength meter shows actual entropy in bits
One-click copy — password never touches your clipboard history
Runs offline after page load — zero network requests

Frequently Asked Questions

How long should my password be in 2026?

16 characters minimum for important accounts (email, banking). 12 is acceptable for low-value accounts. If a site caps you at 8 characters (some banks still do this), that's a red flag about their security practices, but use the max they allow with all character types.

Is a passphrase better than a random password?

For your master password (the one you memorize), yes — "correct horse battery staple" style passphrases are easier to remember and can be very strong if you use 5+ truly random words. For everything else, let your password manager generate and store random strings.

Why does the strength meter say "weak" for my 8-character password?

An 8-character password with all character types has ~52 bits of entropy. Modern GPUs can test billions of hashes per second. At that rate, 52 bits can be brute-forced in hours to days depending on the hashing algorithm. 80+ bits is where you want to be.

Can this tool generate passwords that meet specific site requirements?

Yes — toggle the character types to match whatever rules the site enforces. If they require "at least one uppercase, one number, one symbol," keep all types enabled and regenerate until the output satisfies the rules (usually first try with 12+ chars).

Should I still change passwords every 90 days?

No. NIST dropped that recommendation years ago. Forced rotation leads to weaker passwords (people just increment a number). Change passwords only when: (1) you suspect a breach, (2) a service notifies you of a compromise, or (3) you shared it with someone who no longer needs access.

Tips & Related Workflows

Hash your passwords for secure storage with our Hash Generator.
Generate unique session tokens alongside passwords with our UUID Generator.
Encode passwords for safe URL transmission with our Base64 Encoder/Decoder.
Create a QR code to share Wi-Fi passwords with our QR Code Generator.