How the generator works
Uses `crypto.getRandomValues()` — the browser's cryptographically secure RNG. At least one character from each selected class is guaranteed. The result is shuffled with the Fisher-Yates algorithm.
Strong Password Generator
Generate cryptographically secure passwords and test the strength of your own passwords. Everything runs in your browser — nothing is sent anywhere.
🔒 This password never leaves your browser.
16
43264
Select at least one character class.
What is entropy
Entropy is measured in bits and shows how "unpredictable" a password is. 60 bits ≈ 580 billion combinations. With repeated characters or sequences (abc, 123, qwerty), effective entropy drops.
Crack time
Estimated at 10 billion guesses per second — a realistic offline GPU attack speed against a slow hash. On average, a password is cracked at 50% of the maximum time.
Password best practices
- • A unique password for every account — never reuse the same password.
- • At least 16 characters for critical accounts (email, banking, password manager).
- • Enable two-factor authentication (2FA) wherever possible.
- • Use a password manager — 1Password, Bitwarden, KeePass.
- • Avoid personal info (birthday, name, pet) in the password.
- • Change a password only on suspected compromise — not "every 90 days".
Frequently asked questions
Is the password sent to a server?
No. All generation and evaluation happens in your browser via JavaScript. Nothing leaves your device — not during generation, not during checking. This is technically verifiable in your browser DevTools (the Network tab will be empty).
How random are the generated passwords?
We use `crypto.getRandomValues()` — the browser's cryptographically secure random number generator, the same one used by secure web applications. This is significantly safer than `Math.random()`, which is unsuitable for passwords.
What is entropy and why does it matter?
Entropy measures a password's uncertainty in bits. A 60-bit-entropy password requires on average 2^59 guesses to crack — about 580 billion. Above 70 bits is strong, above 100 bits is very strong. Length matters more than complexity — a 16-character lowercase-only password has more entropy than an 8-character all-class password.
What password length should I choose?
For critical accounts (email, banking, password manager), use at least 16 characters with all classes enabled. For less important accounts, 12 characters is acceptable. Anything under 8 characters is almost always too weak.
Why is there an "Exclude similar" option?
Characters like l, I, 1, O, and 0 can look identical in some fonts, causing errors when typed by hand. Excluding them slightly reduces entropy but makes the password easier to enter accurately. Not needed if you use a password manager.
How should I store strong passwords?
Use a password manager (1Password, Bitwarden, KeePass). Never store passwords in a text file, email, or on paper near the device. Enable two-factor authentication (2FA) wherever possible — 2FA protects you even if a password is compromised.