Password generator

How this generator works

Every password is built entirely inside your browser using crypto.getRandomValues, part of the Web Crypto API available in every modern browser. The API draws from the operating system’s cryptographically secure pseudo-random number generator (CSPRNG) — the same source used by TLS, disk encryption, and key generation tools. Unlike Math.random(), which is not suitable for security purposes, crypto.getRandomValues produces output that is computationally indistinguishable from true randomness.

The strength of a random password is measured in bits of entropy, calculated as:

entropy = length × log₂(pool size)

“Pool size” is how many unique characters are available for each position. With all four character types enabled — 26 uppercase, 26 lowercase, 10 digits, and 27 symbols — the pool is 89 characters. Each additional character you add to the password multiplies the number of possible combinations by 89. A 16-character password from this pool has about 105 bits of entropy: astronomically beyond the reach of brute force with today’s hardware.

Because nothing leaves your browser, there is no server that could be hacked, no log file that could be leaked, and no database that could be breached. The password exists only in your clipboard and wherever you choose to save it.

Length beats complexity

The single most important decision you make for password security is length. Consider two passwords: an 8-character password using all four character types (pool ~89), yielding roughly 52 bits of entropy; and a 20-character password using only lowercase letters (pool 26), yielding roughly 94 bits. The longer lowercase-only password is orders of magnitude harder to crack despite having a smaller character pool.

Why? Because entropy grows linearly with length but only logarithmically with pool size. Doubling the length doubles the entropy; doubling the pool size adds only one bit. Practically, this means that adding four more characters to a password is worth more than switching from letters-only to letters-plus-symbols.

For day-to-day accounts a 16-character random password is more than adequate — the time to crack it at a billion guesses per second exceeds the age of the universe. For high-value targets like your primary email, banking, or password manager master password, use 20 or more characters. There is no meaningful cost to using a long password in a password manager, so err on the side of more.

What makes a password weak

The most common password mistakes are not exotic — they are predictable patterns that automated crackers are specifically trained to exploit.

• Reusing passwords.When one site is breached and passwords are leaked, attackers immediately try those credentials on every major service. This “credential stuffing” attack succeeds because most people reuse passwords. Every account should have a unique password.
• Predictable substitutions. Replacing letters with similar-looking characters — P@ssw0rd, S3cur1ty! — fools nobody. These substitution patterns are the first things a dictionary attack tries after the base words. A password that looks complex but follows a known pattern has far less entropy than it appears.
• Short passwords. Anything under 12 characters is crackable with commodity hardware given enough time and a leaked hash. Many breached databases are cracked offline, meaning attackers have unlimited time and no lockout to worry about.
• Personal information. Names, birthdays, pet names, and favourite teams appear in targeted attacks before generic wordlists. If the attacker knows anything about you, they know what to try first.

The antidote to all of these is a randomly generated password of sufficient length. Random means truly random — not “random enough” or “hard to guess.” A CSPRNG with no knowledge of you produces output that cannot be reverse-engineered from context, which is exactly what this generator does.

Password managers

A strong, unique password for every account is only practical if you do not have to remember any of them. That is the purpose of a password manager: a single encrypted vault that stores every credential and auto-fills them when you need them.

The only password you need to memorise is the master password for your vault — make that one a long, memorable passphrase (four or more random words strung together work well). Everything else can be a 20-character random string generated here or by the manager itself.

Password managers also protect against phishing. They match credentials to the exact domain they were saved for, so even a convincing fake login page for your bank will not receive an auto-fill. That protection alone is worth the small learning curve.

Good password managers exist across a spectrum of price and openness — some are free and open-source, some are commercial subscriptions, and some are built into operating systems. The differences matter less than the habit: use one, keep it backed up, and enable two-factor authentication on the vault itself. That combination closes the vast majority of account-compromise vectors available to an attacker.