Free Password Generator Online

What Actually Makes a Password Strong

Password strength comes from entropy: the number of bits of randomness an attacker must guess. Entropy is calculated as log₂(charset_size ^ length): a 12-character password drawn uniformly from the 94 printable ASCII characters has about 79 bits of entropy; a 16-character one has about 105 bits. Modern security guidance considers anything above 80 bits resistant to offline brute-force attacks for the foreseeable future, even with specialised hardware. NIST SP 800-63B (the current US federal digital identity guideline, originally published 2017 with revisions through 2024) explicitly recommends the same: minimum 8 characters, allow up to 64, allow all printable Unicode including spaces. Critically, the same guideline reverses decades of bad password advice, it tells administrators to stop requiring periodic password rotation, stop requiring composition rules like "must contain a symbol," and start checking new passwords against breach corpuses (the Have I Been Pwned Pwned Passwords API, Troy Hunt 2018, is the standard implementation). The practical advice in 2026: long, random, unique-per-account, stored in a password manager.

Passphrases, The Diceware Tradition

A passphrase is a password built from random words rather than random characters. The technique was formalised by Arnold G. Reinhold's Diceware in 1995, a wordlist of 7,776 short common English words, each with a 5-digit dice-roll address (5⁵ = 7,776). Roll five dice, look up the word, repeat for as many words as you want. Six Diceware words gives about 77 bits of entropy, equivalent to a 12-character random ASCII password but vastly easier for a human to type and remember. The XKCD comic #936 ("correcthorsebatterystaple", September 2011) made the concept widely known and shifted security culture; password managers and secure-defaults projects like Bitwarden, 1Password, KeePassXC and the EFF's updated wordlists all support passphrase generation. The advantage isn't security (character-based and word-based passwords with equivalent entropy are equally strong against brute force) it's typability. A passphrase is the right format when you actually need to type the password (master password for your password manager, full-disk encryption password, anything before the password manager autofills work).

Why Random Matters, and the CSPRNG Question

Password strength assumes the password is uniformly random. Patterns the attacker can predict (keyboard walks (qwerty), dates, dictionary words, l33t substitutions) destroy entropy faster than the count of characters suggests. Hashcat and John the Ripper, the standard password-cracking tools, try millions of common patterns first; an 8-character password using one of those patterns falls in seconds. This generator uses the browser's Web Crypto API specifically crypto.getRandomValues(): a cryptographically secure random number generator (CSPRNG) that draws from the operating system's entropy pool. Unlike Math.random() (which is fast but predictable and must never be used for security), crypto.getRandomValues() is the same primitive the browser uses to generate TLS session keys. The randomness is suitable for any cryptographic purpose, including passwords.

The Critical Companion: Use a Password Manager

Generating strong unique passwords is only useful if you have somewhere to store them. The 2026 password-manager landscape: Bitwarden (Kyle Spearrin, 2016, open-source, free tier with optional paid upgrade) is the dominant open-source choice. 1Password (AgileBits, founded 2006) is the polished commercial option. KeePassXC (community fork of KeePass, fully offline, file-based vault) is the choice for people who don't trust cloud sync. Apple's iCloud Keychain, Google Password Manager, and Microsoft Edge's password manager are the no-friction defaults built into each platform. Proton Pass (2023) is the privacy-first newer option from the Proton/ProtonMail people. The browser-native managers are the lowest-friction path; dedicated managers offer better cross-platform sync and additional features. The format-of-2026 recommendation: any reputable password manager + unique generated password per account + a strong unique master password (the one password you actually have to memorise) + a hardware security key (YubiKey or similar) for high-value accounts.

How Strong Is Your Password?

A 12-character password drawn uniformly from the 94 printable ASCII characters has 94¹² ≈ 4.75 × 10²³ possible values, about 79 bits of entropy. To brute-force a 79-bit space at 1 trillion guesses per second (achievable with a high-end GPU rig) takes about 19,000 years. Each additional character multiplies the search space by 94, doubling the cracking time roughly every 1.4 characters. A 16-character password takes about 1.5 trillion years to brute-force at the same rate. The takeaway: 12 characters is enough for most accounts; 16+ is appropriate for master passwords, encryption keys, and high-value accounts. The strength meter on this generator estimates entropy from the character set you've enabled and the length you've chosen.

Frequently Asked Questions

Is this password generator secure?

Yes. We use the Web Crypto API (crypto.getRandomValues) which provides cryptographically secure random numbers. No passwords are stored, transmitted, or logged. Everything runs in your browser.

What password length should I use?

We recommend at least 16 characters for important accounts. For maximum security (master passwords, encryption keys), use 20-32 characters. The longer the password, the harder it is to crack.

Should I include symbols?

Yes, when possible. Symbols dramatically increase the number of possible combinations. However, some websites restrict which characters you can use. If a site rejects symbols, uncheck that option and increase the length to compensate.

Why should I never reuse passwords?

If one site gets breached, attackers try the same email/password combo on other sites (credential stuffing). Using unique passwords for every account means a single breach cannot compromise your other accounts.

Related Tools