Password Generator

Why Password Strength Matters

Weak passwords remain the single most common entry point for cyberattacks. Credential stuffing attacks, where attackers try leaked username and password combinations against other services, succeed because people reuse simple passwords across multiple sites. A strong, unique password for every account is your first line of defense.

Password strength comes down to entropy, a measure of how unpredictable a password is. Entropy is calculated as the logarithm (base 2) of the total number of possible combinations. A 16-character password drawn from a pool of 95 printable ASCII characters yields roughly 105 bits of entropy. At ten billion guesses per second (a realistic estimate for modern GPU-based cracking), exhausting that keyspace would take far longer than the age of the universe.

How This Generator Works

This tool uses the Web Crypto API, specifically crypto.getRandomValues(), to produce cryptographically secure random numbers. Unlike Math.random(), which uses a pseudorandom number generator with predictable patterns, the Web Crypto API draws from the operating system’s entropy pool. This is the same randomness source used by TLS, SSH key generation, and disk encryption.

Each character in the generated password is selected independently using rejection sampling to eliminate modulo bias. This means every character in the available pool has an exactly equal probability of being chosen, which is essential for achieving the advertised entropy.

Choosing the Right Settings

For most accounts, a 16-character password with all character types enabled provides excellent security. If a service does not accept symbols, disable that option and compensate by increasing the length to 20 or more characters.

The exclude ambiguous characters option removes characters that look similar in many fonts: the digit zero and the letter O, the digit one and the lowercase L and uppercase I. Enable this when you need to read or type a password manually, such as entering a Wi-Fi key on a device without paste support.

For generating passwords in bulk, use the count selector to produce up to ten at once. This is useful when provisioning test accounts, setting up shared credentials for a team, or rotating multiple service passwords at the same time.

Understanding the Strength Meter

The strength meter is based entirely on mathematical entropy, not on pattern detection or dictionary checks. It calculates the total number of possible passwords given your chosen length and character pool, then translates that into a qualitative rating:

• Very Weak (under 28 bits): Can be cracked in seconds. Never use passwords at this level.
• Weak (28-35 bits): Vulnerable to targeted attacks. Acceptable only for throwaway accounts.
• Fair (36-59 bits): Reasonable for low-value accounts but not recommended for anything sensitive.
• Strong (60-99 bits): Suitable for most accounts. Infeasible to crack with current hardware.
• Very Strong (100+ bits): Enterprise-grade security. Recommended for email, banking, and password manager vaults.

The crack time estimate assumes an attacker with access to a high-end GPU cluster performing ten billion guesses per second. Real-world attacks against properly hashed passwords (bcrypt, scrypt, Argon2) would be orders of magnitude slower, making the estimate conservative.

Best Practices for Password Management

Generating a strong password is only the first step. Store it in a reputable password manager rather than writing it down or saving it in a browser’s built-in storage. Use a unique password for every account so that a breach at one service does not compromise others. Enable two-factor authentication wherever possible as an additional layer of protection.

Never share passwords through email, chat messages, or documents. If you must share a credential with a colleague, use your password manager’s secure sharing feature or a one-time secret link service. Rotate passwords for critical accounts periodically, especially after a known breach affecting a service you use.