logo
GeekFormat

密碼產生器

0
密碼長度
16chars
64
包含字元集
批次產生

免費安全密碼產生器,基於 Web Crypto CSPRNG 安全隨機源,生成隨機強密碼、易記口令和數字 PIN,支援強度檢測、批量匯出,瀏覽器本機生成。

相關推薦

適用場景

  • Generate strong random passwords for new accounts, check entropy and crack time
  • Batch-generate temporary credentials for teams or test environments
  • Generate memorable passphrases for Wi-Fi or device passwords
  • Set device PINs, initialize admin accounts, or reset passwords
  • Replace weak, human-created passwords with strong random ones

功能特點

  • CSPRNG generation: uses browser Web Crypto (crypto.getRandomValues) for cryptographically secure randomness
  • Three modes: Random password, Memorable passphrase (word combination), Numeric PIN
  • Full strength meter: character pool size, entropy, weak password detection, sequential/repeated char risk, brute-force time estimate
  • Exclude ambiguous: optionally skip 0/O/1/l/I for manual entry scenarios
  • Batch generation: generate 5/10/20 passwords at once with TXT download
  • Local-only: all generation and analysis happens in browser, no data uploaded

使用方法

  1. Select mode: Random, Passphrase, or PIN
  2. Set length, character options (16+ recommended), optionally exclude ambiguous chars
  3. Review strength: entropy, crack time estimate, weak password detection
  4. Copy or batch export to TXT for registration/reset/distribution

常見問題

Why Web Crypto API instead of Math.random()?

Math.random() is a general PRNG not designed for security — its internal state can potentially be reverse-engineered. crypto.getRandomValues() uses the OS-level CSPRNG, producing unpredictable randomness suitable for passwords and keys.

Do passwords get uploaded to a server?

No. All passwords are generated locally in your browser. Strength analysis, entropy calculation, and crack time estimation all run client-side. DevTools Network tab confirms zero requests.

How long should a password be?

At least 12 characters with mixed case, digits, and symbols. A 16-character random password would take billions of years to brute-force at modern speeds. See the crack time table above.

Random password vs memorable passphrase?

Per-character, random passwords have higher entropy. But passphrases (4-6 truly random words) achieve 60+ bits of entropy and are much easier to remember. The key is truly random word selection, not self-invented phrases.

Why exclude ambiguous characters (0/O/1/l/I)?

These look similar in many fonts and cause input errors. If passwords are typed manually, read over phone, or printed, exclude them. If used only via password manager, keep all characters for higher entropy.

Is rotating passwords more secure?

Per NIST SP 800-63B, regular password rotation is NO longer recommended unless compromise is confirmed. Forced rotation leads users to choose weak passwords or write them down. Better: long random passwords + password manager + 2FA.

What is password entropy?

Entropy measures unpredictability in bits. Entropy = log₂(character_pool_size ^ length). A 16-char password from 94 printable ASCII chars has ~104 bits, meaning an attacker averages 2¹⁰³ guesses — about 200 billion years at 1 trillion guesses/sec.

什麼是安全密碼產生器?

密碼產生器使用 CSPRNG(密碼學安全隨機數生成器)從字符池中隨機選取字元,避免人類設密的可預測模式(名字+生日、鍵盤連按等)。

不能用 Math.random()——普通隨機數內部狀態可被反推。本工具使用 crypto.getRandomValues() 呼叫作業系統級 CSPRNG。

密碼強度的核心是熵值:log₂(字元池^長度)。16位隨機密碼熵值約 104 bit,暴力破解需約 2000 億年。

易記口令(Passphrase)由多個隨機單字組成,熵值足夠且更容易記憶,即 Diceware/XKCD 方法。

所有密碼在瀏覽器本機生成,資料不上傳伺服器。

术语表

CSPRNG
Cryptographically Secure Pseudo-Random Number Generator. Produces unpredictable output that passes rigorous randomness tests; even knowing many past outputs does not reveal future ones.
Password Entropy
Measures unpredictability in bits. Formula: log₂(N^L). 60+ bits = secure; 100+ bits = extremely strong.
Brute Force Attack
Trying all possible character combinations. Defended by using long random passwords that make combinations physically uncountable.
Dictionary Attack
Using lists of common passwords (123456, password, qwerty) to guess credentials. Much faster than brute force; random passwords are immune.
Credential Stuffing
Using leaked username/password pairs from one site to attempt login on others. Defended by unique passwords per site and checking Have I Been Pwned.
Passphrase
A password made of multiple random words. Easier to remember with high entropy when words are truly random (Diceware method).
Diceware
Arnold Reinhold's 1995 method using 5 dice rolls to pick words from a 7776-word list. 6 Diceware words ≈77 bits of entropy.
NIST SP 800-63B
NIST digital identity guidelines — the authoritative reference for password security. Since 2017, it no longer recommends regular rotation or mandatory special characters, emphasizing length, breached-password screening, and MFA.
2FA/MFA
Two-Factor / Multi-Factor Authentication requires a second factor beyond password (TOTP, hardware key). NIST recommends 2FA on all important accounts.
Breached Password Blacklist
Lists of publicly known compromised/common passwords (123456, password, admin, qwerty). NIST recommends checking against such lists at registration/password change.

Password Length vs Crack Time (upper+lower+digits+symbols)

LengthEntropy(bit)CombinationsCrack Time (1T guesses/sec)Rating
6 chars~37~139 billion< 1 second❌ Very weak
8 chars~52~2.2×10¹⁴~2.5 days❌ Weak
10 chars~65~3.7×10¹⁸~116 years⚠️ Fair
12 chars~78~6.1×10²²~1.9 million years✅ Strong
16 chars~104~6.3×10³⁰~200 billion years✅✅ Very strong
20 chars~131~6.7×10³⁸Trillions of universe ages✅✅✅ Unbreakable

Three Password Modes Comparison

ModeExampleTypical EntropyMemorabilityBest For
Random PasswordxK9#mP2$vL8@nQ4!~6.5bit/charPoorPassword-manager stored main passwords, DB passwords, API keys
Memorable PassphraseBrave-Cloud-Star42~10bit/wordGoodWi-Fi passwords, login passwords requiring manual entry
Numeric PIN4829173.3bit/digitGoodDevice lock screen, bank card PIN, one-time codes

Authoritative References