logo
GeekFormat

Password Generator

0
Password length
16chars
64
Included character sets
Batch generation

Free online password generator using Web Crypto CSPRNG for strong random passwords, passphrases, and PINs. Strength detection, ambiguous char exclusion, batch export. Browser-local.

Related

Use Cases

  • Generate strong random passwords for new accounts, check entropy and crack time
  • Batch-generate temporary credentials for teams or test environments
  • Generate memorable passphrases for Wi-Fi or device passwords
  • Set device PINs, initialize admin accounts, or reset passwords
  • Replace weak, human-created passwords with strong random ones

Features

  • CSPRNG generation: uses browser Web Crypto (crypto.getRandomValues) for cryptographically secure randomness
  • Three modes: Random password, Memorable passphrase (word combination), Numeric PIN
  • Full strength meter: character pool size, entropy, weak password detection, sequential/repeated char risk, brute-force time estimate
  • Exclude ambiguous: optionally skip 0/O/1/l/I for manual entry scenarios
  • Batch generation: generate 5/10/20 passwords at once with TXT download
  • Local-only: all generation and analysis happens in browser, no data uploaded

How to Use

  1. Select mode: Random, Passphrase, or PIN
  2. Set length, character options (16+ recommended), optionally exclude ambiguous chars
  3. Review strength: entropy, crack time estimate, weak password detection
  4. Copy or batch export to TXT for registration/reset/distribution

FAQ

Why Web Crypto API instead of Math.random()?

Math.random() is a general PRNG not designed for security — its internal state can potentially be reverse-engineered. crypto.getRandomValues() uses the OS-level CSPRNG, producing unpredictable randomness suitable for passwords and keys.

Do passwords get uploaded to a server?

No. All passwords are generated locally in your browser. Strength analysis, entropy calculation, and crack time estimation all run client-side. DevTools Network tab confirms zero requests.

How long should a password be?

At least 12 characters with mixed case, digits, and symbols. A 16-character random password would take billions of years to brute-force at modern speeds. See the crack time table above.

Random password vs memorable passphrase?

Per-character, random passwords have higher entropy. But passphrases (4-6 truly random words) achieve 60+ bits of entropy and are much easier to remember. The key is truly random word selection, not self-invented phrases.

Why exclude ambiguous characters (0/O/1/l/I)?

These look similar in many fonts and cause input errors. If passwords are typed manually, read over phone, or printed, exclude them. If used only via password manager, keep all characters for higher entropy.

Is rotating passwords more secure?

Per NIST SP 800-63B, regular password rotation is NO longer recommended unless compromise is confirmed. Forced rotation leads users to choose weak passwords or write them down. Better: long random passwords + password manager + 2FA.

What is password entropy?

Entropy measures unpredictability in bits. Entropy = log₂(character_pool_size ^ length). A 16-char password from 94 printable ASCII chars has ~104 bits, meaning an attacker averages 2¹⁰³ guesses — about 200 billion years at 1 trillion guesses/sec.

What is a Secure Password Generator?

A password generator creates random, unpredictable passwords. Unlike human-chosen passwords, a true generator uses a Cryptographically Secure Pseudo-Random Number Generator (CSPRNG) to randomly select characters from a specified pool, avoiding predictable human patterns (name+birthday, keyboard sequences like qwerty, company+year), drastically reducing risk from dictionary attacks and credential stuffing.

**Why not Math.random()?** General PRNGs have internal state that can be reverse-engineered from small outputs, allowing attackers to predict future "random" numbers. This tool uses the browser Web Crypto API — backed by OS-level CSPRNGs (Linux getrandom, macOS SecRandomCopyBytes, Windows BCryptGenRandom) that pass cryptographic randomness tests.

**Entropy is the core of password strength**: Entropy = log₂(N^L) bits, where N = character pool size and L = length. A 16-char password from 94 printable ASCII chars has ~104 bits — averaging 2¹⁰³ guesses to crack, or about 200 billion years at 1 trillion guesses/sec.

**Passphrases** made of multiple randomly chosen words (like Brave-Cloud-Star42) look "simpler" but achieve 60+ bits when words are truly random — enough for most scenarios, and much easier to remember than random-character passwords. This is the Diceware / XKCD #936 approach.

All passwords are generated locally in your browser with zero upload. The tool also provides strength detection: entropy calculation, brute-force time estimation, and weak pattern detection (repeated chars, sequential digits/letters, common password matching).

术语表

CSPRNG
Cryptographically Secure Pseudo-Random Number Generator. Produces unpredictable output that passes rigorous randomness tests; even knowing many past outputs does not reveal future ones.
Password Entropy
Measures unpredictability in bits. Formula: log₂(N^L). 60+ bits = secure; 100+ bits = extremely strong.
Brute Force Attack
Trying all possible character combinations. Defended by using long random passwords that make combinations physically uncountable.
Dictionary Attack
Using lists of common passwords (123456, password, qwerty) to guess credentials. Much faster than brute force; random passwords are immune.
Credential Stuffing
Using leaked username/password pairs from one site to attempt login on others. Defended by unique passwords per site and checking Have I Been Pwned.
Passphrase
A password made of multiple random words. Easier to remember with high entropy when words are truly random (Diceware method).
Diceware
Arnold Reinhold's 1995 method using 5 dice rolls to pick words from a 7776-word list. 6 Diceware words ≈77 bits of entropy.
NIST SP 800-63B
NIST digital identity guidelines — the authoritative reference for password security. Since 2017, it no longer recommends regular rotation or mandatory special characters, emphasizing length, breached-password screening, and MFA.
2FA/MFA
Two-Factor / Multi-Factor Authentication requires a second factor beyond password (TOTP, hardware key). NIST recommends 2FA on all important accounts.
Breached Password Blacklist
Lists of publicly known compromised/common passwords (123456, password, admin, qwerty). NIST recommends checking against such lists at registration/password change.

Password Length vs Crack Time (upper+lower+digits+symbols)

LengthEntropy(bit)CombinationsCrack Time (1T guesses/sec)Rating
6 chars~37~139 billion< 1 second❌ Very weak
8 chars~52~2.2×10¹⁴~2.5 days❌ Weak
10 chars~65~3.7×10¹⁸~116 years⚠️ Fair
12 chars~78~6.1×10²²~1.9 million years✅ Strong
16 chars~104~6.3×10³⁰~200 billion years✅✅ Very strong
20 chars~131~6.7×10³⁸Trillions of universe ages✅✅✅ Unbreakable

Three Password Modes Comparison

ModeExampleTypical EntropyMemorabilityBest For
Random PasswordxK9#mP2$vL8@nQ4!~6.5bit/charPoorPassword-manager stored main passwords, DB passwords, API keys
Memorable PassphraseBrave-Cloud-Star42~10bit/wordGoodWi-Fi passwords, login passwords requiring manual entry
Numeric PIN4829173.3bit/digitGoodDevice lock screen, bank card PIN, one-time codes

Authoritative References