Password Generator
Strong, customizable, generated entirely in your browser. Nothing transmitted anywhere.
What Makes a Password Actually Strong
Strength comes from exactly two things: entropy (the number of possible combinations an attacker would have to try) and uniqueness (it's not used anywhere else). Length and randomness drive entropy. Reuse — even of a strong password — destroys it.
A 16-character random password drawn from 94 printable characters has roughly 1031 possible combinations — about 105 bits of entropy. To brute-force it, an attacker running a billion guesses per second would need over 1015 years. The universe is about 1.4 × 1010 years old. There is no future technology that changes this fundamental arithmetic for properly long random passwords. The math protects you completely — as long as you actually use long, random, unique passwords.
How Long Does It Take to Crack a Password?
Modern GPU rigs can attempt billions of hashes per second against leaked password databases. The numbers tell the story:
| Password Type | Example | Crack Time (modern hardware) |
|---|---|---|
| 6 lowercase letters | kitten | Instant |
| 8 mixed case + numbers | Kitten23 | ~1 hour |
| 10 mixed case + numbers + symbols | K1tten!2024 | ~5 years |
| 12 random characters, 4 classes | x7K!nP$2qLw# | ~3 thousand years |
| 16 random characters, 4 classes | x7K!nP$2qLw#m9R@ | ~1015 years |
| 20 random characters, 4 classes | Kj#9$mP2!qL@xN8&wR3* | Effectively forever |
Estimates from Hive Systems' 2024 password table assuming bcrypt cost 5. For unsalted MD5 (still used by some legacy systems), divide all times by ~106.
The Real Threat: Database Breaches and Credential Stuffing
The most common way passwords actually get compromised isn't brute force. It's database leaks from breached websites. Once a database is leaked, attackers crack the password hashes offline and then try those email/password combinations against every other site — banking, email, shopping. This is called credential stuffing, and it's the #1 source of account takeovers worldwide.
Five of the largest known password leaks
| Service | Year | Accounts Exposed | Notes |
|---|---|---|---|
| Yahoo | 2013–2014 | 3 billion | Every account that existed at the time |
| RockYou2024 (combined dump) | 2024 | 10 billion | Aggregated from past breaches; largest plaintext-password leak ever |
| 2012/2016 | 700 million | SHA-1, mostly cracked within weeks | |
| 2019 | 533 million | Phone numbers + emails + names | |
| Adobe | 2013 | 153 million | Encrypted passwords + plaintext hints |
If you have ever used an online service over the past decade — and you have — your email and at least one password you used at some point are almost certainly in a breach dump. Check yours at haveibeenpwned.com. The site is run by security researcher Troy Hunt and is the standard reference for breach exposure.
The Statistic That Should Scare You
Verizon's annual Data Breach Investigations Report consistently shows the same root cause: roughly 80% of hacking-related breaches involve stolen or weak credentials. Of those, the overwhelming majority succeed because users reused a password from one site on another. The attacker doesn't need to crack your bank password — they just buy a list of breached Netflix passwords on a dark-web forum and try them on every bank login form until one works.
Most-used passwords in 2024 (NordPass annual analysis):
123456— used by 4.5 million people; cracked in <1 second123456789— 1.4 millionpassword— 1.1 millionqwerty123— 600 thousand12345678— 580 thousand
If your password is on this list, change it immediately. If it has even a passing resemblance to one of these, change it too.
The 3 Rules That Actually Matter
- Length over complexity. A 20-character random password is stronger than a 10-character one with five special characters. Always go for length.
- Unique per site. If your email password leaks, the only damage should be your email. The attacker should not be able to log in to your bank with the same credentials.
- Use a password manager. No human can remember 80+ unique 20-character random passwords. A password manager does it for you. Trying to memorize them is how you end up reusing them.
Password Managers — The Right Tool for the Job
A modern password manager generates random passwords, stores them encrypted, fills them automatically in browsers and apps, and warns you if any of your stored passwords has appeared in a known breach. Recommended options:
- Bitwarden — open source, free tier is generous, audited. Good default for most people.
- 1Password — slick UI, family plans, paid only. Best if you'll share with family/team.
- KeePass / KeePassXC — local, open source, free. Best if you don't want anything in the cloud.
- Built-in (Chrome / Safari / Firefox) — fine for casual users, but locks you into a browser ecosystem.
One master password unlocks everything. Make that master password a long passphrase you'll remember (four random words like correct horse battery staple gives ~44 bits of entropy and is memorable). And turn on 2FA on the password manager itself.
Two-Factor Authentication (2FA) — Even More Important Than Strong Passwords
Even a perfectly strong password can be stolen via phishing or malware. Two-factor authentication adds a second proof of identity — usually a 6-digit code from an authenticator app — that the attacker doesn't have. Microsoft's security team has stated publicly that 2FA blocks 99.9% of automated account-takeover attempts.
Priority order for enabling 2FA: email accounts → financial accounts → cloud storage → social media → everything else. Use an authenticator app (Authy, Google Authenticator, 1Password's built-in TOTP) instead of SMS where possible; SMS-based 2FA is vulnerable to SIM-swap attacks.
Why This Generator Is Safe
Generation happens entirely in your browser using crypto.getRandomValues — a cryptographically secure random number generator built into every modern browser. Nothing is transmitted to our server, nothing is logged, nothing is stored after you close the tab. We genuinely can't see the passwords you generate; the math doesn't allow it. That said, you should still copy the password into a password manager immediately and not leave the browser tab open with it visible.
Common Password Mistakes
- Substituting letters with similar-looking symbols (P@ssw0rd). Crackers know all the standard substitutions. They add no real entropy.
- Adding a year or "!" to a known word (Summer2024!). Crackers iterate through years and trailing symbols automatically. This breaks in under a minute.
- Using personal information (name, birthday, pet's name). All publicly available or guessable via social media.
- Reusing a "strong" password everywhere. One breach compromises everything. Worse than a weak unique password per site.
- Writing passwords on sticky notes / unencrypted text files. Defeats the point of having a password.
- Storing passwords in browser without a master password. Anyone with physical access to your unlocked device gets your entire vault.
- Forced rotation every 90 days. Research (and NIST's own guidelines) show this leads to weaker passwords because users iterate (Password1, Password2, Password3...). Only rotate when you have reason to suspect compromise.
Frequently Asked Questions
How often should I change my passwords?
Only when there's a reason — a breach notification, a suspected compromise, or after sharing a password with someone who no longer needs it. Forced periodic rotation has been debunked as security theater; NIST officially deprecated the practice in 2017.
Is "correct horse battery staple" really safe?
A four-word random passphrase from a 7,776-word list (Diceware) has roughly 51 bits of entropy. Strong enough for a master password if combined with a strong password manager and 2FA. For individual site passwords, longer random strings from a manager are still the standard.
What about biometric (Face ID / fingerprint) login?
Biometrics unlock the device or the password manager — they don't replace the password. They make using strong unique passwords easier because you authenticate once with your face/finger and the manager fills the actual password.
Should I include symbols and uppercase?
Yes for site passwords (more entropy per character, and some sites require it). For passphrases used as a manager's master password, length is more important than character classes.
Is HTTPS enough to protect my password during login?
HTTPS protects the password in transit. It does not protect against the site itself being hacked, the site storing passwords in plaintext, or you typing the password into a phishing page. Use unique passwords + 2FA so a single compromise doesn't cascade.
What's a passkey, and should I use it instead?
Passkeys are a newer standard (FIDO2/WebAuthn) that replace passwords with cryptographic keys tied to your device. They're phishing-proof and don't have a "secret to leak." When a site offers a passkey, it's almost always the better choice. Major adopters: Apple, Google, Microsoft, GitHub, PayPal.
Why does my bank require dumb password rules (8-12 chars, no symbols)?
Legacy. Old systems were built around fixed-length database columns or used hashing that couldn't handle long inputs. It's bad security practice and slowly being phased out, but you have to work within whatever the site allows.
Is the password I generate here logged anywhere?
No. Generation happens in your browser via the Web Crypto API. The text never leaves your device. There is no analytics on the generated values. Once you close the tab, the password is gone unless you saved it somewhere.