Skip to content

Password Generator

Generated password

CSw.}WjO6Ww-?w#L

Strong · 103.4 bits of entropy · 88-char alphabet

Options

Estimates for educational purposes — not financial, medical, or legal advice. See terms.

Password strength comes from two things: length and the size of the alphabet the password is drawn from. A 16-character password drawn from 90 possible characters has entropy of 16 × log2(90) ≈ 104 bits, which is enough to resist brute-force attacks from any realistic adversary. A 6-character password drawn from just lowercase letters has 6 × log2(26) ≈ 28 bits, which a modern GPU cracks in seconds.

This tool lets you pick the length and which character sets to include, then shows the entropy in bits for the generated password so you can see how strong it actually is. The password itself is generated by the browser’s built-in cryptographic random number generator (Web Crypto’s crypto.getRandomValues), not Math.random.

How entropy is calculated

entropy (bits)=length×log2(alphabet size)\text{entropy (bits)} = \text{length} \times \log_2(\text{alphabet size})

The alphabet size depends on which character sets you select:

Character setSize (default)Size (ambiguous excluded)
Lowercase a-z2623 (excludes o, l)
Uppercase A-Z2624 (excludes O, I)
Numbers 0-9108 (excludes 0, 1)
Symbols !@#$%^&*()_-+=[]{}<>?/,.:;2522 (excludes `, ', ")

Strength thresholds

The strength label reflects entropy in bits against a practical attacker:

  • Under 28 bits → very weak (seconds to crack offline)
  • 28 to 36 bits → weak (hours)
  • 36 to 60 bits → fair (days to months)
  • 60 to 128 bits → strong (years to centuries with current hardware)
  • 128 bits and up → very strong (computationally infeasible)

For comparison, a standard AES-128 key has exactly 128 bits of entropy. 60 bits is the practical minimum for any password that protects real value.

Example: 16-character password with all character sets

With lowercase + uppercase + numbers + symbols, the alphabet has 87 characters (26 + 26 + 10 + 25). A 16-character password from this alphabet has:

16×log2(87)103 bits16 \times \log_2(87) \approx 103 \text{ bits}

That’s strong enough to resist any realistic brute-force attack — an attacker trying a billion passwords per second would need longer than the age of the universe to exhaust the space.

When to use which options

  • Shared or dictated passwords (you have to read it to someone or write it down): turn on “Exclude ambiguous” so the reader doesn’t confuse 0 and O, 1 and l.
  • Systems that reject symbols: turn off symbols and compensate by increasing length — a 20-character alphanumeric password has 20 × log2(62) ≈ 119 bits, still very strong.
  • Systems that require all character classes: turn on “Require one from each set” to guarantee the password passes validation on the first try.
  • Encryption keys or high-value accounts: bump the length to 24 or 32 to get 140+ bits of entropy.

What this tool does not do

It does not store passwords, suggest passwords you already use, or check whether a password has appeared in a breach. For those, use a dedicated password manager. This tool is for the moment you need a fresh, strong password right now and want to see the math behind its strength. For a memorable word-based alternative (XKCD-style “correct horse battery staple”), the passphrase generator uses Diceware wordlists instead of character classes.

Frequently asked questions

Is this password generator actually random?

Yes. It uses the browser's Web Crypto API (crypto.getRandomValues), which is cryptographically secure. It does not use Math.random, which is predictable and unsuitable for passwords or any security-sensitive purpose.

How many bits of entropy should my password have?

For most online accounts, 60 bits or more is strong enough. For encryption keys or high-value accounts, aim for 80 to 128 bits. Below 28 bits is considered very weak and crackable in seconds by modern hardware.

What does excluding ambiguous characters do?

Removes characters that look alike in many fonts - 0 and O, 1 and l and I, plus backticks, single quotes, and double quotes. This is useful when you need to read a password off a screen or write it on paper. It slightly reduces entropy per character but prevents transcription errors.

Why require one character from each set?

Some password systems require at least one uppercase, one lowercase, one digit, and one symbol. This option guarantees that constraint without reducing randomness - the required characters are inserted at random positions in the final password.

Can I trust this tool with real passwords?

The password is generated entirely in your browser and never sent anywhere. That said, for your highest-value accounts consider using a dedicated password manager like 1Password or Bitwarden, which generate passwords the same way and also remember them.

How do I share a generated password securely?

Don't paste passwords into Slack, email, or SMS — those leave readable copies in chat history and inboxes long after the recipient has read them. A self-destructing message service is better suited to one-off sharing: the recipient opens the link, reads the password, and the message is destroyed. Tools like steekem.com (another small project I run) work well for this. For ongoing team sharing, a password manager's built-in share feature (1Password, Bitwarden) is the right tool.