Password Generator
Free online password generator using Web Crypto CSPRNG for strong random passwords, passphrases, and PINs. Strength detection, ambiguous char exclusion, batch export. Browser-local.
Free online password generator using Web Crypto CSPRNG for strong random passwords, passphrases, and PINs. Strength detection, ambiguous char exclusion, batch export. Browser-local.
Math.random() is a general PRNG not designed for security — its internal state can potentially be reverse-engineered. crypto.getRandomValues() uses the OS-level CSPRNG, producing unpredictable randomness suitable for passwords and keys.
No. All passwords are generated locally in your browser. Strength analysis, entropy calculation, and crack time estimation all run client-side. DevTools Network tab confirms zero requests.
At least 12 characters with mixed case, digits, and symbols. A 16-character random password would take billions of years to brute-force at modern speeds. See the crack time table above.
Per-character, random passwords have higher entropy. But passphrases (4-6 truly random words) achieve 60+ bits of entropy and are much easier to remember. The key is truly random word selection, not self-invented phrases.
These look similar in many fonts and cause input errors. If passwords are typed manually, read over phone, or printed, exclude them. If used only via password manager, keep all characters for higher entropy.
Per NIST SP 800-63B, regular password rotation is NO longer recommended unless compromise is confirmed. Forced rotation leads users to choose weak passwords or write them down. Better: long random passwords + password manager + 2FA.
Entropy measures unpredictability in bits. Entropy = log₂(character_pool_size ^ length). A 16-char password from 94 printable ASCII chars has ~104 bits, meaning an attacker averages 2¹⁰³ guesses — about 200 billion years at 1 trillion guesses/sec.
A password generator creates random, unpredictable passwords. Unlike human-chosen passwords, a true generator uses a Cryptographically Secure Pseudo-Random Number Generator (CSPRNG) to randomly select characters from a specified pool, avoiding predictable human patterns (name+birthday, keyboard sequences like qwerty, company+year), drastically reducing risk from dictionary attacks and credential stuffing.
**Why not Math.random()?** General PRNGs have internal state that can be reverse-engineered from small outputs, allowing attackers to predict future "random" numbers. This tool uses the browser Web Crypto API — backed by OS-level CSPRNGs (Linux getrandom, macOS SecRandomCopyBytes, Windows BCryptGenRandom) that pass cryptographic randomness tests.
**Entropy is the core of password strength**: Entropy = log₂(N^L) bits, where N = character pool size and L = length. A 16-char password from 94 printable ASCII chars has ~104 bits — averaging 2¹⁰³ guesses to crack, or about 200 billion years at 1 trillion guesses/sec.
**Passphrases** made of multiple randomly chosen words (like Brave-Cloud-Star42) look "simpler" but achieve 60+ bits when words are truly random — enough for most scenarios, and much easier to remember than random-character passwords. This is the Diceware / XKCD #936 approach.
All passwords are generated locally in your browser with zero upload. The tool also provides strength detection: entropy calculation, brute-force time estimation, and weak pattern detection (repeated chars, sequential digits/letters, common password matching).
| Length | Entropy(bit) | Combinations | Crack Time (1T guesses/sec) | Rating |
|---|---|---|---|---|
6 chars | ~37 | ~139 billion | < 1 second | ❌ Very weak |
8 chars | ~52 | ~2.2×10¹⁴ | ~2.5 days | ❌ Weak |
10 chars | ~65 | ~3.7×10¹⁸ | ~116 years | ⚠️ Fair |
12 chars | ~78 | ~6.1×10²² | ~1.9 million years | ✅ Strong |
16 chars | ~104 | ~6.3×10³⁰ | ~200 billion years | ✅✅ Very strong |
20 chars | ~131 | ~6.7×10³⁸ | Trillions of universe ages | ✅✅✅ Unbreakable |
| Mode | Example | Typical Entropy | Memorability | Best For |
|---|---|---|---|---|
| Random Password | xK9#mP2$vL8@nQ4! | ~6.5bit/char | Poor | Password-manager stored main passwords, DB passwords, API keys |
| Memorable Passphrase | Brave-Cloud-Star42 | ~10bit/word | Good | Wi-Fi passwords, login passwords requiring manual entry |
| Numeric PIN | 482917 | 3.3bit/digit | Good | Device lock screen, bank card PIN, one-time codes |