Password Generator
Generate a strong random password right in your browser. Nothing is sent anywhere — the password exists only on your screen until you copy it.
What makes a password strong?
Two things: length and randomness. Every extra character multiplies the number of guesses an attacker needs. A truly random 16-character password with mixed character sets has more combinations than there are atoms in a human body — no realistic computer can brute-force it.
| Password style | Time to crack (offline, modern GPU rig) |
|---|---|
| password123 | Instant (it's in every wordlist) |
| 8 chars, lowercase only | Minutes |
| 10 chars, mixed case + numbers | Months |
| 16 chars, all character sets, random | Billions of years |
The rules that actually matter
- Never reuse passwords across sites. Breaches happen constantly; one leaked password shouldn't open your whole life.
- Use a password manager. It remembers the random passwords so you don't have to. You only memorize one strong master password.
- Turn on two-factor authentication (2FA) for email, banking, and anything important — it protects you even if the password leaks.
- Length beats cleverness. "P@ssw0rd!" follows all the "rules" and is still terrible; crackers try letter-symbol swaps first.
Passphrases: the memorable alternative
If you must memorize a password (like your master password), four to five random common words — "orbit-velvet-thunder-maple" — are both easier to remember and mathematically stronger than a short "complex" password. The trick is the words must be genuinely random, not a sentence you'd naturally say.
Frequently asked questions
Is it safe to generate a password on a website?
On this page, yes — generation uses your browser's built-in cryptographic randomness (crypto.getRandomValues) and runs entirely on your device. You can verify by loading the page, disconnecting from the internet, and generating — it still works.
How often should I change passwords?
Modern guidance (including NIST's): don't change on a schedule — change immediately when there's any sign of a breach. Forced rotation leads to weaker, patterned passwords.
What length should I pick?
16 is a strong default. Use 20+ for anything critical, and shorter only when a site forces a limit.