Strong & Random Passwords
Last reviewed: May 2026
Generate cryptographically random passwords that resist brute-force attacks, dictionary attacks, and credential stuffing. Password strength is overwhelmingly determined by length and randomness — a 16-character random password with mixed characters would take billions of years to crack with current technology. This generator runs entirely in your browser; no passwords are transmitted or stored.1
| Length | Character Set | Entropy (bits) | Time to Crack |
|---|---|---|---|
| 8 | Letters + numbers | ~47 | Hours to days |
| 12 | Letters + numbers + symbols | ~78 | Centuries |
| 16 | Letters + numbers + symbols | ~105 | Billions of years |
| 20 | Letters + numbers + symbols | ~131 | Heat death of universe |
| Recommendation | Details |
|---|---|
| Minimum length | 8 characters (12+ recommended) |
| Maximum length | At least 64 characters allowed |
| Composition rules | No longer required (no forced symbols/numbers) |
| Periodic rotation | Not recommended unless compromised |
| Blocklists | Check against known breached passwords |
Password strength is determined by two factors: length and character diversity. A password composed of only lowercase letters has 26 possible characters per position. Adding uppercase doubles it to 52, digits bring it to 62, and special characters push it to 94 or more. The number of possible combinations is the character set size raised to the power of the password length. An 8-character lowercase-only password has 26⁸ = 208 billion combinations — which modern GPUs can exhaust in under an hour. A 16-character password using all character types has 94¹⁶ = 3.7 × 10³¹ combinations — essentially uncrackable with current and foreseeable technology.
| Password Type | Example | Combinations | Crack Time (10B/sec) |
|---|---|---|---|
| 8 char, lowercase | kqzmvbjf | 2.1 × 10¹¹ | 21 seconds |
| 8 char, mixed + digits | kQ3mVb9f | 2.2 × 10¹⁴ | 6 hours |
| 12 char, mixed + digits | kQ3mVb9fXr2L | 3.2 × 10²¹ | 10,000 years |
| 16 char, all types | kQ3$mVb9!fXr2L@p | 3.7 × 10³¹ | 117 trillion years |
| 4 random words | correct-horse-battery-staple | ~2 × 10¹⁹ | 63 years |
*Crack times assume 10 billion guesses/second (modern GPU cluster). Actual times vary with hardware and attack method.
Attackers rarely "guess" passwords one at a time through login forms — rate limiting and account lockouts make this impractical. Instead, they obtain hashed password databases from data breaches and crack them offline using specialized hardware. Modern GPUs can compute billions of hash operations per second, systematically trying every possible combination (brute force) or working through lists of known common passwords and variations (dictionary attacks). A single high-end GPU can test 10–15 billion MD5 hashes per second or 1–2 billion SHA-256 hashes per second. Distributed cracking rigs with multiple GPUs multiply this capacity.
Dictionary attacks are devastatingly effective against passwords based on common words, names, and patterns. Password lists compiled from previous breaches contain billions of real passwords people have actually used. Attackers also apply rules — appending numbers, substituting letters with symbols (@ for a, 3 for e, $ for s), capitalizing the first letter — making "P@ssw0rd123!" trivially crackable despite appearing complex. Truly random passwords generated by this tool are immune to dictionary attacks because they contain no patterns, words, or predictable structures.
Length overwhelms complexity in the mathematics of password security. Each additional character multiplies the total combinations by the character set size. Adding one character to a 12-character password using 94 characters makes it 94 times harder to crack — equivalent to adding approximately 6.5 bits of entropy. By contrast, switching from lowercase-only to mixed case at the same length doubles the combinations — a much smaller improvement. A 20-character lowercase password (26²⁰ = 1.9 × 10²⁸) is orders of magnitude stronger than an 8-character password using all character types (94⁸ = 6.1 × 10¹⁵). This is why security experts increasingly recommend long passphrases over short complex passwords.
Passphrases — sequences of random words — combine high entropy with memorability. Four randomly selected words from a 7,776-word dictionary (like the Diceware list) produce approximately 51 bits of entropy, comparable to a 10-character random password. Five words push it to 64 bits, and six words to 77 bits — more than sufficient for virtually any application. The key is that the words must be truly randomly selected, not chosen by the user. Humans consistently choose predictable word combinations that are vulnerable to sophisticated dictionary attacks. This generator can create random passphrases that balance security and usability.
The fundamental problem with passwords is that strong ones are hard to remember, and easy ones are easy to crack. Password managers solve this by generating and storing unique random passwords for every account, protected by a single strong master password. A person with 100 online accounts needs 100 unique passwords — impossible to memorize, but trivial for a password manager to handle. The master password should be a strong passphrase of 5–6 random words, which protects the encrypted vault. Leading password managers use AES-256 encryption with PBKDF2 or Argon2 key derivation, making the encrypted database effectively uncrackable without the master password.
Even the strongest password is vulnerable if the service storing it is breached, if phishing tricks you into entering it on a fake site, or if malware captures your keystrokes. Two-factor authentication (2FA) adds a second verification layer — typically a time-based one-time password (TOTP) from an authenticator app, a hardware security key (FIDO2/WebAuthn), or an SMS code. With 2FA enabled, a stolen password alone is insufficient to access the account. Hardware security keys provide the strongest protection, followed by authenticator apps, with SMS codes being the weakest (but still far better than no 2FA) due to SIM-swapping vulnerabilities.
Reusing passwords across multiple sites is the most dangerous password practice. When a single breach exposes your email and password combination, attackers automatically try those credentials on hundreds of other services — a technique called credential stuffing. If you use the same password for your email, bank, and social media, a breach at any one of them compromises all three. Other critical mistakes include using personal information (birthdays, pet names, addresses) that can be researched through social media, using simple keyboard patterns (qwerty, 123456, zxcvbn), and writing passwords on sticky notes or unencrypted files. This generator eliminates all of these risks by producing truly random, unique passwords for every purpose.
Entropy, measured in bits, quantifies the unpredictability of a password. Each bit of entropy doubles the number of possible combinations. The formula is: entropy = log₂(character_set_size^length). A password with 40 bits of entropy has 2⁴⁰ = roughly 1 trillion possible combinations. Security standards generally recommend at least 80 bits for sensitive accounts (approximately a 13-character random password using all character types or a 6-word passphrase). This calculator shows the entropy of each generated password, giving you a concrete measure of security rather than vague "strength meter" ratings that vary between websites and often mislead users about actual password security.
Different services impose different password requirements — minimum length (typically 8–16 characters), mandatory character types (at least one uppercase, one digit, one special character), and sometimes maximum length or excluded special characters. These constraints can actually reduce security when they force users toward predictable patterns (capitalizing the first letter, adding "1!" at the end). This generator lets you customize the character set to meet any service's requirements while maintaining maximum randomness within those constraints. For maximum security, always use the longest password the service allows with all available character types.
This tool generates passwords using a cryptographically secure pseudorandom number generator (CSPRNG), specifically the Web Crypto API's getRandomValues() function. Unlike JavaScript's Math.random() — which is deterministic and predictable — CSPRNG draws from the operating system's entropy pool, which collects randomness from hardware events like mouse movements, keyboard timing, disk activity, and dedicated hardware random number generators. The result is passwords with true statistical randomness that cannot be predicted even by an attacker who knows the generation algorithm. Each character position is independently selected with equal probability from the character set, ensuring no detectable patterns or biases in the output.
The traditional advice to change passwords every 60–90 days has been largely abandoned by security experts, including NIST (National Institute of Standards and Technology). Their current guidance recommends changing passwords only when there is evidence or suspicion of compromise. Forced frequent rotation leads to weaker passwords (users choose simpler passwords they can remember through rapid changes) and predictable patterns (incrementing numbers, cycling through a small set). Instead, use unique strong passwords for every account, enable 2FA, and monitor for breach notifications through services like Have I Been Pwned. Change a password immediately if the service reports a breach or if you have any reason to suspect unauthorized access.
Select your desired password length, character types, and quantity, then click generate. Each password is created using cryptographically secure randomness. Copy any generated password directly to your clipboard for immediate use.
→ Use 16+ characters. Length is the single most important factor.
→ Never reuse passwords. One breach compromises all accounts sharing that password.
→ Use a password manager. The only way to maintain unique passwords for every account.
→ Enable 2FA everywhere. Even the best password benefits from a second factor.
See also: Random Number · Percentage · Statistics