Password Generator
Generate a cryptographically random password of any length. Choose character sets (uppercase, lowercase, numbers, symbols), copy with one click, and see the strength and entropy of your generated password.
How Strong Is Your Password?
Password strength is measured in bits of entropy — the number of binary decisions an attacker must make to guess your password by brute force. A password with N bits of entropy requires, on average, 2N−1 guesses to crack. Modern GPU-based cracking rigs can test billions of hashes per second, so entropy requirements have increased substantially over the years.
A password with fewer than 40 bits of entropy is considered weak by current standards. 50–60 bits is reasonable for low-value accounts. 70+ bits is strong. 100+ bits is effectively uncrackable with any hardware that exists today or in the foreseeable future. The formula is straightforward:
At 78 bits, even a cracking rig testing 10 billion passwords per second would take roughly 3 trillion years to exhaust the full search space — longer than the age of the universe. For practical purposes, 16+ random characters from a 94-character set is more than adequate for any account.
What Makes a Password Secure?
Security researchers have settled on three properties that make a password resistant to both online guessing attacks and offline cracking of stolen hash databases.
Length matters more than complexity. A 20-character password composed only of lowercase letters (26-character set, 94 bits of entropy) is vastly stronger than an 8-character password using all character types (72 bits). Every additional character multiplies the search space by the charset size. Adding one character to a 12-character password increases cracking time by a factor of 94 — roughly two orders of magnitude.
Randomness eliminates predictability. Humans are poor random number generators. We gravitates toward familiar words, birth years, patterns on the keyboard (qwerty, 123456), and simple substitutions. Attackers know this and build these patterns into their cracking rules. A password chosen by a human — even if it looks random — is statistically far easier to crack than one generated by a computer using a cryptographically secure source of randomness.
Uniqueness prevents credential stuffing. If you reuse a password and that password is exposed in any breach, every account sharing it is immediately compromised. A unique password for every account means a breach at one service cannot cascade to others. With a password manager, unique passwords cost nothing — you never type or memorize them.
Password Manager Recommendations
A password manager is software that generates, stores, and auto-fills your passwords. You remember one strong master password; the manager handles everything else. This is not optional for good security — it is the only practical way to use a unique, strong password for every account.
Bitwarden is open-source, free for individuals, and independently audited. It works across all browsers and operating systems and syncs via the cloud (or self-hosted). A strong choice for most people.
1Password and Dashlane are polished commercial options with family and business plans, travel mode (hiding sensitive vaults at border crossings), and additional security monitoring features.
KeePassXC stores your vault as a local encrypted file with no cloud dependency. It is entirely free and open-source. Best for users who prefer not to sync passwords to any server, or who need an air-gapped setup.
Apple Keychain / Google Password Manager are built into their respective ecosystems and are convenient for users who stay within one platform. They have improved significantly and are a reasonable choice for personal use. They are less flexible than dedicated password managers for cross-platform or cross-browser use.
Password Length vs. Character Set
The table below shows entropy in bits for various combinations of password length and character set size. Entries marked in parentheses indicate the approximate time to crack at 10 billion guesses per second — a figure achievable with a mid-range GPU cluster in 2024.
| Length | Lowercase only (26) | Alphanumeric (62) | Full ASCII (94) | Strength |
|---|---|---|---|---|
| 8 | 37.6 bits (minutes) | 47.6 bits (days) | 52.4 bits (months) | Weak |
| 10 | 47.0 bits (days) | 59.5 bits (years) | 65.5 bits (centuries) | Fair |
| 12 | 56.4 bits (years) | 71.5 bits (>1000 yrs) | 78.6 bits (very long) | Good |
| 16 | 75.2 bits (very long) | 95.3 bits (astronomical) | 104.8 bits (astronomical) | Strong |
| 20 | 94.0 bits (astronomical) | 119.1 bits (astronomical) | 131.0 bits (astronomical) | Very Strong |
| 24 | 112.9 bits | 143.0 bits | 157.2 bits | Extreme |
For most online accounts, 16 characters using alphanumeric plus symbols (78+ bits) is more than sufficient. For a master password to a password manager — which must survive a worst-case offline attack if the encrypted vault file is ever stolen — aim for 20+ characters (100+ bits).
Frequently Asked Questions
How often should I change my passwords?
Current guidance from NIST (National Institute of Standards and Technology) no longer recommends periodic forced password changes unless there is evidence of compromise. Changing passwords on a fixed schedule — monthly or quarterly — actually encourages weaker passwords because users choose predictable patterns (Password1!, Password2!, etc.). Instead, use a strong unique password for each account and change it immediately if the service reports a breach, or if you suspect your account has been accessed without your knowledge.
Is reusing passwords dangerous?
Yes. Reusing the same password across multiple sites is one of the most common ways accounts get compromised. When any one of those sites is breached, attackers test the leaked credentials on hundreds of other services in automated "credential stuffing" attacks. Even if your password is strong, its value is zero if the site stores it in plaintext and gets breached. A password manager lets you use a unique 20-character random password for every account without having to remember any of them.
Are passphrases better than random passwords?
A passphrase — a sequence of random words like "correct-horse-battery-staple" — can be very strong and is much easier to memorize than "xK8@mP#2qL". A 4-word passphrase drawn from a 7,776-word list (diceware) has about 51 bits of entropy, comparable to a random 9-character password using the full 94-character printable ASCII set. For accounts where you must type the password frequently and cannot use a password manager, passphrases are a practical choice. For most accounts, a randomly generated password stored in a manager is simpler and equally secure.
Does two-factor authentication replace the need for a strong password?
No — two-factor authentication (2FA) and a strong password are complementary, not interchangeable. 2FA protects you if your password is compromised: the attacker still needs your phone or hardware key. A strong password protects you if your 2FA method is temporarily unavailable or if the attacker only has access to your password database without a live login opportunity. Use both. Prefer authenticator apps (TOTP) or hardware keys (FIDO2/WebAuthn) over SMS-based 2FA, which is vulnerable to SIM-swapping attacks.
What is a dictionary attack and how do I defend against it?
A dictionary attack is a password-cracking method where an attacker tries millions of known words, common phrases, and their variants (replacing "a" with "@", adding "123" at the end) rather than brute-forcing every possible character combination. Dictionary attacks can crack passwords like "P@ssw0rd" in seconds because these substitutions are well-known. The defense is randomness: a password generated by a cryptographically secure random number generator — not chosen by a human — cannot be predicted by a dictionary. This generator uses the browser's built-in crypto.getRandomValues() to ensure genuine randomness.
Related Calculators
- Word Counter — Count words, characters, and reading time in any text