Random Password Generator
What Makes a Password Strong?
Password strength is measured by entropy — the number of bits of randomness a password contains. Higher entropy means more possible combinations, which directly translates to how long it would take an attacker to crack the password by brute force.
Entropy formula: Entropy (bits) = log₂(charset size) × password length. A 16-character password using all four character sets (lowercase + uppercase + numbers + symbols = 95 characters) has entropy of log₂(95) × 16 ≈ 104 bits — astronomically strong against any current or foreseeable brute-force attack.
| Length | Charset | Entropy | Strength | Crack time (est.) |
|---|---|---|---|---|
| 8 chars | Lowercase only (26) | 37.6 bits | Weak | Minutes to hours |
| 8 chars | Mixed + numbers (62) | 47.6 bits | Moderate | Days to weeks |
| 12 chars | All sets (95) | 78.9 bits | Strong | Centuries |
| 16 chars | All sets (95) | 105.2 bits | Very Strong | Astronomically long |
| 20 chars | All sets (95) | 131.5 bits | Extreme | Beyond heat death of universe |
Password Security Best Practices
Frequently Asked Questions
Is this password generator truly random?
This generator uses the Web Crypto API (window.crypto.getRandomValues) when available in your browser — which is a cryptographically secure pseudorandom number generator (CSPRNG) suitable for generating passwords and cryptographic keys. This is the same API used by password managers and security software. Math.random() is used as a fallback in environments where the Web Crypto API is unavailable, though Math.random() is not cryptographically secure and should be considered a fallback only.
Are my generated passwords stored or sent anywhere?
No. All password generation happens entirely within your browser in JavaScript. No network requests are made. No passwords are logged, transmitted, or stored anywhere outside your browser tab. You can verify this by generating passwords while your device is in airplane mode — they will generate identically. Once you close or refresh the page, the passwords are gone.
How long should my password be?
For most accounts, 16 characters using all character sets provides more than sufficient security against any current brute-force attack — approximately 105 bits of entropy. For highly sensitive accounts (banking, email, password manager master password), 20 to 24 characters is a reasonable target. For anything stored in a password manager rather than memorized, there is no practical reason not to use 32 characters or more — it costs nothing and significantly increases future-proofing against computational advances.
What are ambiguous characters and why exclude them?
Ambiguous characters are those that look visually similar in certain fonts and can be confused when reading a password manually: lowercase L (l), uppercase i (I), number one (1), lowercase o (o), uppercase O (O), number zero (0), pipe (|), backtick (`), and certain quote marks. Excluding them only matters if you ever need to type the password manually. For passwords stored in a password manager and filled automatically, there is no reason to exclude them — doing so slightly reduces entropy.
What is password entropy and why does it matter?
Entropy measures the number of equally likely possibilities a password could be — expressed in bits. One bit of entropy doubles the number of possibilities. A password with 50 bits of entropy has 2 to the power of 50 (about one quadrillion) possible combinations. Entropy is calculated as log₂(charset size) multiplied by password length. It is the mathematically correct way to measure password strength — not arbitrary rules about requiring uppercase and lowercase, which add far less security than simply adding more random characters.
