Strong Password Generator
Cryptographically random passwords generated on your device, with an honest strength meter measured in bits of entropy rather than vague color bars.
What makes a password strong
Strength is measured in entropy: the number of equally likely possibilities an attacker must try. Each character drawn from a pool of N symbols adds log₂(N) bits. A 16-character password over the full 90-symbol pool here carries about 104 bits, meaning around 2¹⁰⁴ possibilities, far beyond any brute-force capability. Length beats cleverness: adding 4 characters helps more than any substitution trick like @ for a, which cracking tools already know.
How this generator works, and why it is safe to use
Characters are drawn with your browser’s crypto.getRandomValues, the same cryptographic randomness source used for encryption keys, not the predictable Math.random. Generation happens entirely on your device; the password is never transmitted, logged or stored, and it disappears when you leave the page. The generator also guarantees at least one character from each set you tick, so a site demanding "one number and one symbol" is always satisfied.
Practical advice that actually matters
Use a unique password per site, because breaches are the main way passwords leak, and reuse turns one breach into ten. A password manager makes 20-character random passwords painless, and you then only memorise one master passphrase. Turn on two-factor authentication for email and banking; it protects you even if a password leaks. The look-alike exclusion option exists for passwords you must read aloud or type from paper, like a Wi-Fi key, where confusing 0 with O costs real time.
How long would cracking actually take?
A rig testing 100 billion guesses per second (a realistic offline attack on a weakly hashed database) exhausts a 40-bit space in seconds, a 60-bit space in months, an 80-bit space in tens of thousands of years, and a 104-bit space in longer than the age of the universe. That is the practical meaning of the entropy meter. Note the caveat: this math applies to random passwords. Human-invented passwords fall to dictionary and pattern attacks at rates millions of times faster, which is why "Monsoon@2026" is weak despite ticking every complexity box.
Passphrases: the memorable alternative
For the one password you must memorise, your password manager’s master key, a random multi-word passphrase like "copper-violin-mango-drift-canal" offers around 64 bits from a 7,776-word list at 5 words, and grows by about 12.9 bits per added word. It is far easier to type on a phone than symbol soup. Generate random characters here for accounts a manager will remember for you; use a passphrase for the manager itself.
Frequently asked questions
How long should my password be?
For important accounts, 16 characters or more from mixed character sets, which lands above 100 bits of entropy. For a password manager master passphrase, consider a 4 or 5 word random passphrase you can memorise.
Is it safe to generate a password on a website?
This one runs entirely in your browser using cryptographic randomness, with no network requests; nothing is sent or stored. You can verify by loading the page, disconnecting from the internet, and generating: it still works.
What does the entropy number mean?
The number of bits of unpredictability. Every extra bit doubles the search space for an attacker. Around 60 bits resists casual attacks, 80+ resists serious offline cracking, and 100+ is effectively uncrackable with current technology.
Should I exclude ambiguous characters?
Only when the password will be read or typed manually, like a Wi-Fi key on a printed card. Exclusion slightly reduces entropy per character, which you can offset by adding a couple of characters of length.