Password Generator

What is a Password Generator?

A password generator is a tool that creates random, unpredictable passwords on demand. Instead of choosing a password yourself — which tends toward dictionary words, names, or simple patterns — a generator draws from a pool of characters using a cryptographically secure random function. The result is a password that no attacker can guess through brute force or dictionary attacks.

How to Generate a Strong Password

1. Set the length — 16 characters is a good minimum; 24+ is better for sensitive accounts.
2. Enable Uppercase, Lowercase, and Numbers for maximum entropy.
3. Add Symbols to make the password even harder to crack.
4. Click Generate to create a new password.
5. Click Copy and paste it directly into your password manager.

What Makes a Password Strong?

Password strength is measured in entropy — the number of possible combinations an attacker would have to try. A 16-character password using all four character sets (lowercase, uppercase, numbers, symbols) has over 95¹⁶ ≈ 4.4 × 10³¹ possible values. Even at a billion guesses per second, breaking it would take longer than the age of the universe.

In contrast, a 8-character password using only lowercase letters has just 26⁸ ≈ 200 billion combinations — crackable in minutes with modern hardware.

Is My Password Secure?

Yes. This tool generates passwords entirely in your browser using the crypto.getRandomValues() Web Cryptography API — a cryptographically secure pseudo-random number generator (CSPRNG). No password is ever sent to a server. Your generated passwords exist only in your browser and are never logged or stored.

Common Password Mistakes to Avoid

Even people who know they should pick strong passwords often fall back on a small set of predictable patterns. Attackers know these patterns too, and modern cracking tools encode them into wordlists and rules that turn a “clever” password into a few seconds of work.

• Reusing the same password across sites. One breach exposes every account that shares the password. Credential-stuffing tools test stolen pairs against thousands of services in minutes.
• Personal information. Birthdays, pet names, partner names, and addresses are easy to discover through social media or public records and are the first guesses any targeted attacker will try.
• Keyboard walks. Sequences like qwerty, asdf1234, or 1q2w3e4r look random but appear at the top of every leaked-password list.
• Predictable substitutions. Replacing a with @ or o with 0 in a dictionary word adds almost no entropy — cracking tools apply these transformations automatically.
• Single-character padding. Adding ! or 1 at the end of a weak password just to satisfy a complexity rule barely changes the time to crack.

Defence in Depth: Beyond the Password

A strong password is necessary, but it is only one layer. The accounts that matter most — email, banking, password manager, primary cloud storage — deserve additional protection so that even a leaked or phished password does not lead directly to a compromise.

• Two-factor authentication (2FA). Prefer an authenticator app or a hardware security key (FIDO2 / WebAuthn) over SMS codes, which can be intercepted through SIM-swap attacks.
• Unique passwords per service. Always generate a fresh password for every new sign-up. A password manager makes this practical at scale.
• Breach monitoring. Services like Have I Been Pwned and the built-in breach reports in most password managers tell you when a password needs rotating.
• Passphrases for memorisation. When a password must be memorised (your password-manager master password, full-disk encryption), use a long passphrase of four to six unrelated words rather than a short complex string.

Frequently Asked Questions