Password Generator
Pick a length, toggle uppercase, lowercase, numbers and symbols, and this generator produces a password using your browser’s cryptographic random number generator — the same source of entropy that backs SSL key generation and cryptocurrency wallets. No seeded pseudo-random, no server round-trip. A 16-character password with all four character classes gives about 95 bits of entropy, enough to resist offline cracking with current hardware.
How strong passwords are built
-
1
Choose length
Default 16. Anything under 12 is weak for important accounts.
-
2
Pick character classes
Uppercase, lowercase, numbers, symbols. More classes = more entropy per character.
-
3
Optional: exclude ambiguous characters
Drop 0/O and 1/l/I if the password will be transcribed from screen to a terminal.
-
4
Generate
crypto.getRandomValues() picks each character uniformly from the allowed set.
-
5
Copy and store
Paste into your password manager immediately. Don't reuse.
Entropy by length and character set
| Length | Lower only | Lower + numbers | Lower + upper + numbers | All four classes |
|---|---|---|---|---|
| 8 | 38 bits | 41 bits | 48 bits | 52 bits |
| 12 | 57 bits | 62 bits | 71 bits | 79 bits |
| 16 | 75 bits | 83 bits | 95 bits | 105 bits |
| 20 | 94 bits | 103 bits | 119 bits | 131 bits |
| 24 | 113 bits | 124 bits | 143 bits | 158 bits |
What entropy means in practice
- 40 bits — crackable in days with a single GPU today. Fine for throwaway accounts.
- 60 bits — resists online attacks but vulnerable to dedicated offline cracking.
- 80 bits — strong against offline cracking for current hardware.
- 100 bits — effectively uncrackable until quantum computing matures.
- 128 bits — matches AES-128 key strength.
For most online accounts, 16 characters from the full set (105 bits) is more than enough. Bank accounts, password manager masters, crypto wallets deserve 20+ characters.
Why character classes matter
Each class adds options per character. With 26 lowercase letters, one character contributes log2(26) = 4.7 bits. Adding uppercase gives 52 characters and 5.7 bits per character. Adding digits gives 62 characters and 5.95 bits. Adding symbols reaches 94 characters and 6.55 bits. Over 16 characters, that difference compounds to ~30 bits — the difference between “crackable” and “not worth trying.”
When to exclude ambiguous characters
If the password will be typed from screen to a device without a copy-paste path — console installers, some hardware wallets, elderly users reading passwords aloud — excluding 0, O, 1, l, I prevents transcription errors. The entropy cost is minimal (2-3 bits out of 80+).
Password manager workflow
- Install a password manager (Bitwarden, 1Password, KeePass).
- Set a strong master passphrase (6-8 random words — see the passphrase generator).
- Use the manager’s generator for every site, accepting the default strong settings.
- Never reuse passwords across sites, even “throwaway” ones.
- Enable 2FA on everything that supports it.
Manually typed passwords should be rare — only for the manager master, full-disk encryption, and possibly your work computer login.
Things that don’t help
- Changing every 90 days. Forced rotation encourages predictable patterns (Summer2024 → Fall2024). NIST SP 800-63B explicitly recommends against it.
- Writing down on paper in a wallet. Safer than reusing weak passwords, but worse than a password manager.
- Security questions with real answers. “First school” is a Google search away for most people. Generate random fake answers and store them in your manager.
Frequently Asked Questions
16 characters from all four character classes (lower, upper, number, symbol) is strong for almost any account. 20+ for password-manager master, crypto wallet and full-disk encryption. Under 12 is weak regardless of complexity rules.
The password is generated in your browser using the Web Crypto API and never sent anywhere. Open DevTools Network panel if you want to verify. You should still copy it into a password manager immediately rather than screenshotting or emailing.
Data breaches. When one site leaks passwords, attackers immediately try the same email/password combination on hundreds of other sites (credential stuffing). Unique passwords per site contain the damage to one account.
Generate a random 16-character password for that site. A cap of 16 or less usually means the site is storing passwords in a form that doesn’t scale well, which is a red flag — enable 2FA there especially.