Password Generator

What is a password generator?

A password generator creates random, unpredictable passwords using a cryptographically secure random number generator (CSPRNG). Unlike passwords invented by humans — which tend to follow predictable patterns based on names, dates, or dictionary words — a generated password has no structure an attacker can exploit. The randomness comes from the operating system's entropy source, making the output genuinely unpredictable even to the system that created it.

What makes a password strong: entropy explained

Password strength is measured in bits of entropy — the logarithm of how many possible combinations exist. A password with more entropy takes longer to crack by brute force. Length contributes far more to entropy than complexity alone:

• A 12-character password using only lowercase letters has about 56 bits of entropy
• A 16-character password using lowercase letters has about 75 bits of entropy
• A 16-character password using mixed case, numbers, and symbols has about 105 bits of entropy
• A 24-character password with full character set has about 157 bits of entropy

Current hardware can brute-force 56-bit entropy in hours. 80+ bits is considered the minimum for security-sensitive accounts today.

NIST guidelines on password length vs complexity

The US National Institute of Standards and Technology (NIST SP 800-63B) recommends prioritising length over complexity. A 20-character password made of random words or characters is harder to crack than a 10-character password with forced special characters. NIST also recommends against periodic forced password changes — changing a secure password unnecessarily introduces the risk of choosing a weaker replacement.

How to use this tool

1. Set length to your desired character count (16–24 recommended for most accounts).
2. Set the character set flags — includeUppercase, includeLowercase, includeDigits, includeSymbols.
3. Click Generate.
4. Copy the result and save it immediately in a password manager — never type it manually.

Why you need a password manager

A truly random 20-character password like X#7mQv!9nLzW2Yd$k4Rp is secure but memorisable only if you use it for one account. You need a different strong password for every service you use — if one site is breached and attackers obtain your password hash, credential stuffing attacks try the same password on thousands of other sites. A password manager (Bitwarden, 1Password, KeePass) stores every generated password securely and fills them in automatically, so you only need to remember one master password.

When to use longer passwords

Use 24 characters or more for: password manager master passwords, encryption key passphrases, root or administrator accounts, and any account where a breach would have serious consequences. Use 16 characters as a practical minimum for everyday accounts. Some services impose a maximum password length — if a site caps passwords at 8–12 characters, that is a red flag about their security practices, as properly hashed passwords have no length constraint on storage.