Password Generator
Free password generator that creates strong, random passwords with customizable length and character options. Runs in your browser.
Creating strong, unique passwords for every online account is one of the most effective steps you can take to protect your digital life. This generator builds random passwords using the Web Crypto API right in your browser, so nothing is ever transmitted over the network or stored on a server.
About Password Generator
Why Random Passwords Matter
Attackers rely on predictable patterns - dictionary words, birthdays, pet names, and common substitutions like "p@ssw0rd." A truly random password eliminates these patterns entirely, making brute-force attacks computationally infeasible with current hardware.
| Password Type | Example | Time to Crack (estimated) |
|---|---|---|
| Common word | password | Instant (in every dictionary attack list) |
| Word + number | monkey123 | Under 1 second |
| Common substitution | p@ssw0rd | Under 1 second (substitutions are well known) |
| 8-char random (all types) | k7#Lm2!q | Hours to days |
| 12-char random (all types) | aR4$kL9#mP2x | Centuries |
| 16-char random (all types) | Hk39$mLp#7aQx2Rw | Longer than the age of the universe |
Estimates assume an attacker trying 10 billion guesses per second (a realistic rate for offline hash cracking with modern GPUs).
How to Use This Tool
| Setting | Options | Recommendation |
|---|---|---|
| Length | 8-128 characters | 16+ characters for important accounts; 12 minimum for everything else |
| Uppercase (A-Z) | On/Off | Keep on - increases the character pool |
| Lowercase (a-z) | On/Off | Keep on - core of most passwords |
| Numbers (0-9) | On/Off | Keep on - most sites require at least one digit |
| Symbols (!@#$%...) | On/Off | Keep on unless a site rejects special characters |
The colour-coded strength meter updates in real time as you adjust settings, showing exactly how secure the generated password will be.
Password Entropy Explained
Entropy measures password strength in bits. Higher entropy means more possible combinations an attacker must try. The formula is: Entropy = Length x log2(Pool Size).
| Character Types Enabled | Pool Size | Entropy per Character | 12-char Entropy | 16-char Entropy |
|---|---|---|---|---|
| Lowercase only | 26 | 4.7 bits | 56 bits | 75 bits |
| Lower + upper | 52 | 5.7 bits | 68 bits | 91 bits |
| Lower + upper + digits | 62 | 6.0 bits | 71 bits | 95 bits |
| All types (including symbols) | ~95 | 6.6 bits | 79 bits | 105 bits |
Security experts generally recommend at least 80 bits of entropy. A 12-character password with all character types meets this threshold.
Recommended Password Lengths by Account Type
| Account Type | Minimum Length | Why |
|---|---|---|
| Social media, forums | 12 characters | Lower-value targets but still worth protecting |
| Email (primary) | 16 characters | Email is the recovery method for most other accounts |
| Banking, financial | 16-20 characters | Direct access to your money |
| Password manager master | 20+ characters | Protects all your other passwords |
| Server/admin access | 20+ characters | Compromise can affect many users |
Password Best Practices
| Practice | Why |
|---|---|
| Use a unique password for every site | One breach exposes only one account, not all of them |
| Use a password manager | Remembering dozens of random passwords is impossible; a manager does it for you |
| Enable two-factor authentication (2FA) | Even if your password is compromised, 2FA blocks the attacker |
| Change passwords after a breach | If a service reports a breach, change that password immediately |
| Never share passwords over email or chat | These channels are not encrypted end-to-end by default |
What Changed in the NIST Password Guidelines?
NIST Special Publication 800-63B (Digital Identity Guidelines) is the standard that most US federal agencies and many private companies follow. The 2024 revision (SP 800-63B-4) made some big changes to password policy that overturn years of conventional wisdom:
- No more forced rotation. NIST now says you should NOT require users to change passwords periodically (e.g. every 90 days). Forced rotation leads people to pick weaker passwords and just increment a number at the end. Only require a change if there is evidence of compromise.
- No more composition rules. Rules like "must contain one uppercase, one number, one symbol" are no longer recommended. They annoy users without meaningfully improving security when passwords are long enough. Length matters far more than character variety.
- Minimum 15 characters for single-factor, 8 minimum if part of MFA. Rev 4 raised the floor for passwords used on their own to 15 characters. Verifiers must allow at least 64 characters and should encourage longer passwords.
- Screen against breached password lists. Verifiers should check new passwords against known compromised passwords (like the Have I Been Pwned database) and reject matches.
- Allow paste into password fields. Blocking paste discourages password managers. NIST explicitly says to allow it.
The short version: long and random beats short and complex. A 20-character lowercase passphrase is stronger than an 8-character password with symbols.
The Passphrase Alternative (Diceware)
A passphrase is a password made of multiple random words instead of random characters. The Diceware method, created by Arnold Reinhold in 1995, uses physical dice rolls to pick words from a list of 7,776 entries.
How it works:
- Roll five dice (or one die five times) to get a 5-digit number like 43521
- Look up that number in the Diceware word list to get a word (e.g. "penny")
- Repeat for each word you want (6 words is recommended)
- String them together: "penny clamp frosty bold nurse tiger"
Entropy math: Each Diceware word adds log2(7776) = 12.9 bits of entropy. Six words gives you 77.5 bits. Seven words gives 90.4 bits. That is comparable to a 12-character fully random password (79 bits with all character types).
The advantage of passphrases is memorability. "penny clamp frosty bold nurse tiger" is far easier to remember than "k7#Lm2!qR4$x" even though they have similar entropy. The disadvantage is length - some sites cap passwords at 20 or 30 characters, which limits how many words you can use.
How Bad Is the Breach Problem?
Troy Hunt's Have I Been Pwned (HIBP) database tracks over 12 billion compromised accounts from more than 950 indexed breaches as of 2026. Some of the biggest:
| Breach | Year | Accounts Exposed | What Leaked |
|---|---|---|---|
| Collection #1-5 (compiled lists) | 2019 | 2.2 billion | Email/password pairs from many sources |
| Yahoo | 2013-2014 | 3 billion | Names, emails, hashed passwords, security questions |
| 2021 | 700 million | Scraped profile data including emails | |
| 2019 | 533 million | Phone numbers, emails, names, locations | |
| RockYou | 2009 | 32 million | Plaintext passwords (no hashing at all) |
The RockYou breach is famous in security circles because the passwords were stored in plaintext. Analysis of those 32 million passwords showed the most common were "123456", "12345", "123456789", "password", and "iloveyou". About 30% of users had passwords of 6 characters or fewer. This dataset is still used today to train password-cracking tools.
If you reuse a password across sites and one of those sites gets breached, attackers will try that same email/password pair on every major service within hours. This is called credential stuffing and it is automated at massive scale.
Why Use a Password Manager?
The average person has around 168 online accounts (NordPass 2024 research). Nobody can memorise 100 unique random passwords. A password manager solves this by storing all your credentials in an encrypted vault locked by a single master password.
The major options:
| Manager | Type | Free Tier | Notable Feature |
|---|---|---|---|
| Bitwarden | Cloud-synced, open source | Yes (full featured) | Self-host option, audited code |
| 1Password | Cloud-synced | No (14-day trial) | Travel mode, Watchtower alerts |
| KeePass / KeePassXC | Local database file | Yes (fully free) | Offline only, you control sync |
| Apple Keychain / Passwords | Built into Apple devices | Yes | Zero setup for Apple users |
| Google Password Manager | Built into Chrome | Yes | Auto-fill across Chrome devices |
The best password manager is the one you actually use. Any of these is vastly better than reusing passwords or writing them on sticky notes.
Two-Factor Authentication (2FA) Types Compared
Even a strong password can be phished or leaked. Two-factor authentication adds a second barrier. Here is how the common types stack up:
| 2FA Method | Security Level | Convenience | Phishing Resistant? | Notes |
|---|---|---|---|---|
| SMS codes | Low-Medium | High | No | Vulnerable to SIM swapping. Better than nothing, but the weakest 2FA option. |
| Authenticator app (TOTP) | Medium-High | Medium | No | Google Authenticator, Authy, etc. Codes change every 30 seconds. Can still be phished in real-time. |
| Push notifications | Medium | High | Partially | Duo, Microsoft Authenticator. Risk of "MFA fatigue" - approving prompts without thinking. |
| Hardware security key (FIDO2/WebAuthn) | Very High | Medium | Yes | YubiKey, Google Titan. Cryptographically bound to the real site. Cannot be phished. |
| Passkeys | Very High | High | Yes | Built into devices (Apple, Google, Microsoft). Replaces passwords entirely. Based on FIDO2. |
If you do nothing else, enable 2FA on your email account. Email is the master key to almost every other account through password reset flows.
How Long Does Brute-Force Cracking Actually Take?
The "time to crack" estimates in the table above assume offline cracking at 10 billion guesses per second, which is realistic for a single high-end GPU cracking MD5 hashes. But the real picture depends heavily on the hashing algorithm the target site uses:
| Hash Algorithm | Guesses/sec (RTX 4090) | 12-char All-Types Password |
|---|---|---|
| MD5 (weak, still common) | ~165 billion/s | ~1,500 years |
| SHA-1 | ~25 billion/s | ~10,000 years |
| SHA-256 | ~10 billion/s | ~25,000 years |
| bcrypt (cost 10) | ~100,000/s | ~2.5 trillion years |
| Argon2 (recommended) | ~10,000/s | ~25 trillion years |
Sites that use bcrypt or Argon2 (as NIST and OWASP recommend) make brute-force attacks essentially impossible for any reasonable password length. The problem is that many sites still use MD5 or SHA-1, and you have no way of knowing which algorithm a site uses. That is another reason to use long, random passwords everywhere - you are defending against the weakest link.
Want to test an existing password before replacing it? The password strength analyzer scores any password and flags common weaknesses. Need a unique identifier instead of a password? Try the UUID generator. For hashing passwords in your own applications, the hash generator computes SHA-256 and other digests. If you work with bcrypt hashing directly, the bcrypt generator produces hashes at configurable cost factors. This password generator runs entirely in your browser - nothing is sent or stored.
Sources
- NIST SP 800-63B-4 - Digital Identity Guidelines (Authentication)
- Have I Been Pwned - Pwned Websites database
- NordPass - How Many Passwords Does the Average Person Have?
- Arnold Reinhold - The Diceware Passphrase Home Page
- OWASP - Password Storage Cheat Sheet (bcrypt/Argon2)
- FIDO Alliance - Passkeys Overview
- MDN - Crypto.getRandomValues() Web API
Frequently Asked Questions
How does the password generator create secure passwords?
Our password generator uses the Web Crypto API (crypto.getRandomValues) built into your browser to produce cryptographically secure random numbers. These random values are then mapped to your selected character sets to build a password that is truly unpredictable.
What makes a password strong?
A strong password is long (at least 12 characters), contains a mix of uppercase letters, lowercase letters, numbers, and special symbols, and avoids dictionary words or personal information. Our strength indicator evaluates your settings in real time.
Is it safe to generate passwords in a web browser?
Yes. This tool runs entirely in your browser. No passwords are sent to any server, stored in any database, or logged anywhere. Once you close or refresh the page, the generated password exists only if you copied it.
How long should my password be?
Security experts recommend at least 12 to 16 characters for most accounts. For high-value accounts like banking or email, 20 or more characters provide an extra margin of safety against brute-force attacks.
Related Tools
Link to this tool
Copy this HTML to link to this tool from your website or blog.
<a href="https://toolboxkit.io/tools/password-generator/" title="Password Generator - Free Online Tool">Try Password Generator on ToolboxKit.io</a>