Password Generator - create strong random passwords in your browser

Password entropy is a measure of unpredictability expressed in bits. Each bit doubles the number of guesses an attacker must make on average, so 64 bits requires 2^64 guesses and 128 bits requires 2^128. The exact entropy of a randomly generated password equals log2(charset_size) multiplied by the password length - a 16-character password from a 95-character set has 16 x log2(95) = 105 bits. Anything above 75 bits is considered safe against offline brute-force attacks with current GPU hardware; 128 bits is uncrackable for any foreseeable computing technology including quantum computers running Grover's algorithm.

Attackers run dictionary attacks that test millions of common words, phrases, and predictable transformations (capitalisation, leet substitutions like 'a' to '@', appending digits or years) before trying brute force. Any password a human can easily remember - including phrases, names, dates, or sports teams - usually appears in cracking dictionaries (rockyou.txt, HaveIBeenPwned, custom corpus dumps) within the first few million guesses. A 16-character random password from a 95-character set takes roughly 4 quadrillion times longer to guess than a typical 8-character word with a digit suffix. The fix is to generate, not invent, your password.

Yes. A password manager (Bitwarden, 1Password, KeePass, Proton Pass, Apple Passwords) lets you use a unique, randomly generated password for every account without memorising any of them - you only remember one strong master password. The vault is encrypted locally with your master password, then optionally synced through the provider. The alternative - reusing the same password across sites or storing them in a text file or browser autofill without encryption - means a single breach exposes every account. Modern managers also generate passkeys, monitor breach databases, and warn you about reused or weak entries.

Do not rotate passwords on a fixed schedule. NIST SP 800-63B (2017, reaffirmed in subsequent revisions) explicitly recommends against mandatory periodic rotation because it pushes users toward predictable patterns - changing 'Summer2024!' to 'Summer2025!' weakens security rather than improving it. Rotate a password only when there is a concrete reason: a confirmed breach (HaveIBeenPwned alert, vendor notification), shared access that needs revoking, suspicion of phishing or device compromise, or after exposure on an untrusted device. With a password manager and a unique random password per site, breach impact is contained to the one affected account.

Four properties together: length, randomness, character variety, and uniqueness. Length matters most - each added character from a 95-character set multiplies guesses by 95. Randomness eliminates dictionary attacks. Variety (lowercase, uppercase, digits, symbols) maximises the per-character search space. Uniqueness ensures one breach does not cascade to other accounts. A 16-character password generated by a cryptographically secure random source from all four character classes has roughly 105 bits of entropy and is currently uncrackable through brute force.

Twelve characters is the practical minimum, sixteen or more is recommended, and twenty plus is preferred for high-value accounts (email, financial, password manager master). At 95 characters per slot, 12 characters gives 79 bits of entropy, 16 gives 105 bits, and 20 gives 131 bits. Length is the cheapest entropy you can buy because every added character multiplies the attacker's work, while symbol and case complexity only adds marginally. If a system limits passwords to 12-16 characters, prefer the maximum allowed and use a generator.

Only if they are long enough. A four-word passphrase from the EFF wordlist (7,776 words) gives 51 bits of entropy - weaker than a 9-character random password. Six words gives 77 bits, which is roughly equivalent to 12 random characters. Passphrases trade entropy density for memorability, so they need more characters to reach the same security as a random password. Use passphrases for vault master passwords (where you must remember it) and use generated random passwords for everything else (where the manager remembers them).

No. This generator runs entirely in your browser using the WebCrypto API (window.crypto.getRandomValues), which is a cryptographically secure source of randomness backed by the operating system. The generated password is created locally, displayed only to you, and never transmitted anywhere. The server delivers the page assets and has no visibility into what was generated. This makes the tool safe to use even on production accounts.