Password Generator for strong, random passwords
Build strong passwords in your browser, tune the minimum and maximum length, and keep a lightweight local history for quick reuse.
Password workspace
Adjust the rules below and generate as many passwords as you need.
Password strength in numbers
A few statistics that show why password length and character variety matter more than most people realise.
Time to crack a random 8-character password with modern GPU hardware
Estimated time to brute-force a random mixed 16-character password
Of users reuse the same password across multiple sites
Strength multiplier when all four character types are combined
What makes a strong password?
Four properties that together determine whether a password will hold up against modern attack methods.
Length
Every additional character multiplies the total number of possible combinations. Going from 8 to 16 characters does not double the search space - it squares it. Length is the single highest-value property.
Variety
Mixing lowercase, uppercase, digits, and symbols dramatically expands the character set an attacker must search. A password limited to lowercase letters has 26 possibilities per character; adding all four types raises that to roughly 95.
Randomness
Predictable patterns - keyboard walks, names followed by a birth year, favourite sports teams - appear in every attack dictionary. True randomness, generated by a cryptographic source, is immune to dictionary and rule-based attacks.
Uniqueness
Reusing a password across accounts means one breach exposes all of them. Each service should have its own distinct password so that a compromise is always contained to a single account.
Frequently asked questions
Answers to the questions that come up most often about password security.
Entropy measures the unpredictability of a password in bits. Each additional character from a larger character set contributes more bits. A password with 128 bits of entropy would require more guesses than current computing technology can attempt in any practical timeframe. The generator's strength bar reflects an entropy estimate calculated in your browser.
Dictionary attacks use lists of millions of common words, phrases, and their predictable substitutions (replacing 'a' with '@', for example). Any password that a human can easily remember usually appears in these lists within the first few million guesses. A randomly generated password with no relationship to words sidesteps dictionary attacks entirely.
Yes. A password manager lets you use a unique, randomly generated password for every account without memorising any of them. You only need to remember one strong master password. Reputable managers store credentials encrypted locally or in the cloud and integrate with browsers to fill passwords automatically. The alternative - reusing passwords or keeping them in a text file - is significantly riskier.
Current guidance from NIST and most security researchers recommends against mandatory periodic rotation unless a password has been compromised. Forcing frequent changes leads users to make minor, predictable modifications (adding a number at the end) which reduces security rather than improving it. Rotate a password immediately if you suspect a breach, if a site notifies you of a data leak, or if you shared the password with someone who no longer needs access.
More privacy tools
Everything you need to share private data safely - free, no account, runs in your browser.
SecretNote
Write a private note, generate a one-time link, and share it. The note self-destructs the moment it is read - nothing is stored, nothing leaks.
SecretScreen
Upload a screenshot and get a self-destructing share link. The image is encrypted before upload and deleted after the first view - no permanent hosting.
SecretFile
Upload any file and share a one-time download link. The file is encrypted end-to-end and permanently deleted after the recipient downloads it.
Hash Generator
Instantly generate MD5, SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512 hashes in your browser. Your input is never sent to the server.
Password Generator
Generate strong, random passwords with full control over length and character sets. Everything runs locally - your passwords never touch a server.