English
Generate strong, random passwords with tunable character classes.
Last updated
A password generator creates random passwords that are far harder to guess than human-made ones. Developers and learners use them for test accounts, admin panels, database credentials, dashboard sign-ups, CI secrets, and personal security practice.
The key idea is *entropy* — how unpredictable a password is. Longer, less predictable passwords are dramatically stronger, even when both look random to a human. A unique password per account, stored in a trusted password manager, removes most of the risk that comes with reused passwords.
A real password generator should pull randomness from a secure source — window.crypto.getRandomValues in the browser, secrets in Python, crypto.randomBytes in Node.js. Anything based on Math.random() or a simple time-seeded RNG is predictable enough to attack.
@ for a — a 20-character lowercase password beats a 10-character one with symbols.window.crypto, not from Math.random().Aim for at least 16 characters for important accounts, 20+ for admin or root credentials. Longer beats every other tweak.
Enable lowercase, uppercase, numbers, and symbols for the strongest result. If you'll dictate the password by voice or copy it across systems, you can disable symbols.
Turn on the option to skip O / 0 and l / 1 / I if the password might be read aloud or typed manually.
The meter estimates how long it would take to brute-force the password. Anything in the strongest band is fine for personal accounts.
Copy the password into a trusted password manager — never paste it into chat, email, or a sticky note. Don't reuse it for another account.
Approximate brute-force time assuming 10 billion guesses per second — modern offline cracking. Use it as a rough guide when choosing length. Authoritative guidance: NIST SP 800-63B and the OWASP Authentication Cheat Sheet.
| Length | Character set | Approximate strength |
|---|---|---|
| 8 | lower + digits (36 chars) | Cracked in seconds |
| 10 | lower + upper + digits (62) | Cracked in hours |
| 12 | lower + upper + digits + symbols (94) | Days to weeks |
| 16 | lower + upper + digits + symbols | Centuries |
| 20 | lower + upper + digits + symbols | Effectively unbreakable today |
| 4 words | Random word passphrase (correct horse battery staple) | Centuries — easier to memorize |
Length: 20 · Lowercase: on · Uppercase: on · Numbers: on · Symbols: on
B7$kP2wM!hG9eV4rT&xQ
A practical default for dashboards, web apps, and most personal accounts. 20 characters across all four classes is currently considered effectively unbreakable.
f7Bk2pQz
f7Bk2pQzM!eV9rT&hG3wXn$L
The shorter password uses the same character classes but is many orders of magnitude weaker. Length almost always wins.
lantern-vivid-comet-nimbus-quartz
Five random unrelated words is roughly as strong as a 16-character random password but much easier to type, say, and remember.
tower-citrus-bronze-quay-pear) can be as strong as a shorter symbol-heavy password and easier to handle.window.crypto.getRandomValues. The password is generated locally and never sent to a server.