How this works
A strong password is one an attacker can't feasibly guess. The standard formal measure is entropy, expressed in bits, which counts how many possible passwords could have been generated under the same rules. Entropy = length × log2(character_pool_size). A 12-character password using lowercase letters only (26 options per position) has 12 × log2(26) ≈ 56 bits of entropy. Add uppercase, digits and symbols (~94 options), and a 12-char password jumps to 12 × log2(94) ≈ 79 bits. The difference is huge: 56 bits = ~72 quadrillion possibilities; 79 bits = ~600 sextillion. At a hash-cracking rate of 1 trillion guesses per second (high-end consumer GPU on a fast hash), 56 bits falls in ~20 hours; 79 bits takes ~19,000 years. The takeaway: length and character variety both compound exponentially.
Because entropy scales linearly with length and only logarithmically with the character pool, length is the more efficient lever. Adding a single character to a 12-character all-printable password adds ~6.5 bits of entropy (roughly a 100× harder to crack); switching from lowercase-only to mixed-case + digits adds about ~24 bits (16M× harder), but only once — you can't reuse that gain. For sites that allow it, a 16+ character password drawn from the full ~94-character set hits ~105 bits and is generally considered "uncrackable" against any realistic attacker, including state-level adversaries running massive farms. NIST SP 800-63B currently recommends 8+ characters for general accounts and 12+ for higher-security accounts; security-conscious users should aim higher.
A few practical points. (1) Truly random matters. A "random-looking" password you made up yourself isn't random — humans cluster on certain letters, words, and substitutions ("S@m" instead of "Sam") that crackers have profiled extensively. The browser's crypto.getRandomValues API (which this tool uses) produces cryptographically random output that's genuinely uniform across the character pool. (2) Don't reuse passwords. The biggest real-world risk is credential stuffing: a 50-bit password from one breached site getting tried against your bank. Use a password manager with a long master password (consider a 25+ character passphrase or 16+ random) and let it generate unique passwords for every site. (3) Memorability matters less than people think. With a password manager you only need to remember one master password; everything else can be 30+ characters of pure noise. For the master, the EFF Diceware list of common English words gives ~13 bits per word — a 5-word passphrase like "correct horse battery staple bishop" gives ~65 bits, easy to memorise, very strong.
The formula
length is the password length in characters. pool_size is the number of possible characters at each position, determined by which character classes you enable. The "/2" in the brute-force estimate reflects that on average an attacker finds the password halfway through the search space, not at the end.
Example calculation
- Generate a 16-character password using lowercase + uppercase + digits + symbols (94-character pool).
- Entropy = 16 × log2(94) = 16 × 6.554 ≈ 105 bits.
- At 1 trillion (10^12) guesses per second on a fast hash, expected crack time = 2^105 / 2 / 10^12 ≈ 6.4×10^20 seconds, or about 2×10^13 years — orders of magnitude longer than the age of the universe.
- For comparison: an 8-character lowercase-only password has 8 × log2(26) ≈ 38 bits, crackable in 2^38 / 2 / 10^12 ≈ 0.14 seconds. The same length with full character classes is 8 × log2(94) ≈ 52 bits → ~2,250 seconds (~37 minutes). Length matters more than class variety.
Frequently asked questions
Is this password generator safe? Where do the passwords go?
Generated entirely in your browser using window.crypto.getRandomValues — a cryptographically secure random source built into modern browsers. Nothing is sent over the network, logged, stored, or transmitted to any server. You can verify by opening browser dev tools (Network tab) while generating: zero requests fire. The page itself is statically hosted, so even if our servers were compromised the generator code would still run locally on your machine. For peak paranoia, generate on a device that's offline or use the 'view source' to inspect the code before trusting it. The browser crypto API is the same primitive that powers TLS, password managers, and signing operations — it's as safe as any common cryptographic operation you trust daily.
How long should my password be?
For most accounts: 16 characters from the full character set (~105 bits) is comfortably secure against any realistic attacker today and for the foreseeable future. For low-stakes throwaway accounts: 12 characters is fine (~79 bits). For your password-manager master: 20+ characters or a 5-7 word Diceware passphrase. For systems with character-class restrictions (e.g. "must contain 1 uppercase, 1 digit, 1 symbol"), the calculator above accounts for that — generate longer to compensate for the reduced effective entropy. Avoid arbitrarily long (50+ char) passwords unless you genuinely need to: they cause UX friction (autofill issues, copy errors) without meaningful security gain past ~100 bits.
What about passphrases instead of random characters?
Excellent for memorability with strong entropy when generated correctly. The EFF Diceware long word list (~7,800 common English words) gives ~12.9 bits of entropy per word picked uniformly at random. Five words = ~65 bits (good for moderate-security accounts), seven words = ~90 bits (very strong, comparable to a 14-character random), nine words = ~115 bits (paranoid-grade). Critical: the words must be picked truly randomly, not chosen by you. Self-chosen "memorable phrases" cluster on common words, songs, quotes, and grammatical patterns that crackers exploit (the famous "correct horse battery staple" XKCD strip works only because the words were diceware-rolled, not picked). Tools like the EFF's diceware page or password managers with passphrase generators do this correctly. Drawbacks: passphrases are longer to type, more error-prone, and many sites cap password length below what a 7+ word phrase needs. Use them for your master password and accounts that allow them; use random characters elsewhere.