What is entropy in password strength?

Entropy measures randomness in bits. Higher entropy means more possible combinations. A password with 80+ bits of entropy is considered strong; 128+ bits is considered very strong against any known attack.

Password Generator

Generate cryptographically strong passwords and passphrases. Everything runs locally in your browser.

No upload — client-side only Cryptographically random No tracking

Quick policy presets

Length: 16

Uppercase (A–Z) Lowercase (a–z) Numbers (0–9) Symbols

Advanced — Ambiguous allowed · Default symbols

Exclude ambiguous (0/O, 1/l/I)

Custom symbol set

Password

Strength

Entropy 0 / 128 bits

0Entropy (bits)

—Crack Time

0Pool Size

0Characters

Compare Strength

Password A

Password B

What is Password Generator?

A Password Generator creates cryptographically strong passwords and passphrases using the Web Crypto API. Unlike weak or predictable passwords, these are built from high-quality random data—the same source used by security-focused applications. You can generate random character passwords (e.g. K9#mP2$xL7@qR) or memorable passphrases (e.g. correct-horse-battery-staple) that are easier to type and remember.

Every generated password includes real-time strength analysis: entropy in bits, estimated crack time at 10 billion guesses per second, and a visual strength meter. The crack time reflects how long it would take an attacker with modern GPU hardware to brute-force your password offline—a realistic threat model for leaked hashes. Passphrases with 4+ random words often reach 50+ bits of entropy and are much easier to remember than equivalent random-character passwords.

All generation happens in your browser. Nothing is sent to a server, so your passwords stay private. Use it for new accounts, password resets, or when your organization requires strong, unique passwords.

How to Use Password Generator

Choose Password for random characters or Passphrase for memorable word combinations.
Use a preset: General (16 chars, mixed), High Security (24 chars), PIN (6 digits), or Memorable (passphrase mode).
For passwords: adjust the length slider (4–128) and check/uncheck uppercase, lowercase, numbers, and symbols. For passphrases: set word count (3–10), separator (hyphen, space, dot, underscore), and options like capitalize words or append a number.
Click Generate to create a new password. The strength meter and crack time update instantly.
Click Copy to copy the password, then paste it into your password manager or signup form. Use Show to reveal the password before copying.

Example: For a high-security account, select High Security preset—you get a 24-character password with mixed character sets. For something you might type manually, switch to Passphrase, choose 4 words with hyphen separator, and enable "Capitalize words" for Correct-Horse-Battery-Staple.

Tips & Best Practices

Use Ctrl+Enter to regenerate and Ctrl+Shift+C to copy. Esc clears the output. In Advanced, enable Exclude ambiguous to avoid characters like 0/O, 1/l/I when you must type the password by hand (e.g. on a TV or kiosk). Use Custom symbol set if a site restricts symbols—paste only the allowed characters.

Store passwords in a password manager; don't reuse them. Aim for 80+ bits of entropy for important accounts. Passphrases are ideal when you need to remember the password without a manager.

When to Use This Tool

Use this tool when creating new passwords, resetting compromised accounts, or meeting policy requirements (length, character sets). It's better than browser or OS built-in generators when you need presets, crack-time visibility, or passphrase mode. For hashing passwords before storage, use our Hash Generator. For encoding credentials in URLs, use URL Encode/Decode. This generator focuses on creation, not storage or transmission.

Frequently Asked Questions

How secure is this password generator?

The tool uses the Web Crypto API (crypto.getRandomValues) for cryptographically secure random generation. Passwords are generated entirely in your browser and never sent over the network.

What is a passphrase and why use one?

A passphrase is a password made of random words (e.g. "correct-horse-battery-staple"). Passphrases are easier to remember than random character passwords while still providing strong entropy, especially with 4 or more words.

What does the crack time estimate mean?

The crack time estimates how long it would take an attacker to brute-force your password at 10 billion guesses per second — a realistic speed for offline GPU-based attacks against common hash algorithms like MD5 or SHA-1.

What is entropy and how is it calculated?

Entropy measures randomness in bits. For passwords: length × log₂(pool_size). For passphrases: word_count × log₂(wordlist_size). A password with 80+ bits of entropy is considered strong; 128+ bits is considered very strong against any known attack.

Is my password sent to a server?

No. Everything runs entirely in your browser using the Web Crypto API. Your password is never uploaded, stored, or transmitted anywhere.

What does "exclude ambiguous" mean?

Excluding ambiguous characters removes visually similar characters like 0/O, 1/l/I that can cause confusion when manually typing a password into a system that doesn't support paste.