What is crypto.getRandomValues and why does it matter?

crypto.getRandomValues is a Web Crypto API built into all modern browsers. It produces cryptographically secure random numbers using your operating system's entropy source, making it far superior to Math.random() for security purposes. All major password managers use the same API.

What is the difference between a password and a passphrase?

A password is a string of random characters (e.g., 'kX9#mZp2'). A passphrase is a sequence of random words (e.g., 'correct-horse-battery-staple'). Passphrases are easier to remember and type while providing excellent security. A 4-word passphrase has roughly the same entropy as a 10-character random password.

How is the crack time calculated?

Crack time is estimated assuming an attacker performing 10 billion guesses per second (a high-end GPU cluster). The total number of possible passwords is divided by this rate. For example, a 16-character mixed password has about 4x10^31 combinations, which at 10 billion guesses per second would take over a trillion years.

Why exclude ambiguous characters?

Ambiguous characters like 0/O, 1/l/I, and 2/Z look similar in many fonts, which can cause confusion when reading or typing passwords manually. Excluding them is useful when you need to write down or dictate a password. For passwords stored in a manager, include all characters for maximum entropy.

Can I use this password generator offline?

Yes. Since password generation happens entirely in your browser using JavaScript and the Web Crypto API, the tool works without an internet connection once the page is loaded. No server calls are made during password generation.

Is a 4-digit PIN secure?

A 4-digit PIN has only 10,000 possible combinations, which is very weak against offline attacks. However, PINs are typically used with lockout mechanisms (e.g., 3 failed attempts locks the device), which makes them adequate for phones and bank cards. For anything without lockout protection, use a 6-8 digit PIN or a full password.

Password Generator

Generate strong, random passwords instantly. Fully client-side — nothing leaves your browser.

100% Client-Side No Signup Instant

Length 16

Uppercase A–Z

Lowercase a–z

Numbers 0–9

Symbols !@#$%^&*()

Exclude ambiguous O 0 I l 1 |

Words 4

Separator

Capitalize words First letter uppercase

Include number Add a random number between words

Length 6

Count:

Generated entirely in your browser using crypto.getRandomValues(). Nothing is sent to any server.

How to Use the Password Generator

Choose Your Mode

Select Random for character-based passwords, Passphrase for word-based passwords, or PIN for numeric codes.

Adjust Settings

Set your desired length, toggle character types on or off, and pick presets for common lengths.

Copy & Use

Your password generates instantly. Click Copy to save it to your clipboard, or regenerate for a new one.

What Makes a Strong Password?

According to NIST SP 800-63B (2024) and CISA guidelines, password strength depends on three factors: length, randomness, and uniqueness. The updated federal standards dropped mandatory complexity rules (mixed case, special characters) in favor of longer passwords, because each additional character exponentially increases brute-force difficulty.

Here are 5 rules for creating strong passwords in 2026:

Make it long — 16 characters minimum. NIST now recommends at least 15 characters for single-factor authentication (SP 800-63B Rev. 4). Every extra character multiplies cracking difficulty exponentially.
Make it random — Use a password generator. Humans are terrible at randomness — we gravitate toward patterns, dictionary words, and personal info that attackers exploit.
Make it unique — One password per account. 94% of passwords are reused across multiple accounts. When one service is breached, all your accounts using that password are compromised.
Skip the complexity gimmicks — “P@$$w0rd!” looks complex but is trivially crackable. A 20-character lowercase random string is far stronger than an 8-character string with forced symbols.
Use a password manager — The only practical way to maintain unique 16+ character passwords for every account. A generator creates the passwords; a manager stores them.

Why Strong Passwords Matter in 2026

Data breaches are no longer rare events — they are a constant. In 2024 alone, over 1.7 billion credentials were exposed in publicly reported breaches, and the real number is likely far higher. Databases like the “RockYou2024” compilation contain nearly 10 billion unique password entries, giving attackers an enormous dictionary to work with in credential-stuffing attacks.

The core problem is password reuse. When one service is breached, attackers automatically test those same email-and-password pairs against thousands of other sites — banks, email providers, cloud storage, social media. A single leaked password can cascade into full identity compromise if it unlocks your primary email, which in turn resets every other account.

This is why a password manager is no longer optional. The average person has 70–100 online accounts. No one can memorize that many unique, high-entropy passwords. A password manager lets you generate a distinct random password for every service and recall it instantly. You remember one strong master password; the manager handles the rest. Combined with two-factor authentication, this approach eliminates the vast majority of credential-based attacks before they start.

Password Strength by Length

How long would it take to crack your password? These estimates are based on 2025 data from Hive Systems, assuming a modern GPU cluster (12× RTX 5090) attacking bcrypt hashes (cost factor 10):

Length	Numbers Only	Lowercase	+ Uppercase	All Characters	Entropy (all)
6	Instant	Instant	Instant	1 second	39 bits
8	Instant	57 minutes	4 days	8 months	53 bits
10	Instant	2 years	300 years	58K years	66 bits
12	3 minutes	2,000 years	880K years	3 billion years	79 bits
14	5 hours	2M years	600M years	31 trillion years	92 bits
16	21 days	477M years	380B years	30 quadrillion years	105 bits
20	5 years	39T years	253,000T years	Effectively never	131 bits
32	1B years	Beyond heat death of the universe			210 bits

Times assume offline brute-force against bcrypt hashes. Online attacks with rate limiting are much slower. Weak hashing (MD5, SHA-1) reduces times by orders of magnitude.

Password vs. Passphrase

A passphrase is a sequence of random, unrelated words (e.g., “correct-horse-battery-staple”). Here is how they compare to traditional random passwords:

Criteria	Random Password	Passphrase
Example	`k7#mQ9$xL2!pN4w`	`correct-horse-battery-staple`
Typical length	12-20 characters	20-40 characters
Entropy (typical)	79-131 bits	52-108 bits (4-7 words)
Memorability	Impossible without a manager	Moderate — mental imagery helps
Typing ease	Low — mixed symbols	High — regular words
Best for	Website accounts (stored in manager)	Master passwords, device encryption
NIST compliant	Yes (if 15+ chars)	Yes (if 15+ chars)

Key insight: Passphrases trade entropy density for memorability. A 5-word random passphrase (~86 bits) is easier to remember than a 12-character random password (~79 bits) while being more secure. For maximum security, use random passwords stored in a password manager.

Common Password Mistakes

According to NordPass’s 2025 analysis of dark web data, the 10 most common passwords are:

#	Password	Occurrences	Time to Crack
1	`123456`	179.9M	Instant
2	`123456789`	67.4M	Instant
3	`12345678`	63.9M	Instant
4	`password`	46.6M	Instant
5	`12345`	28.3M	Instant
6	`qwerty`	22.0M	Instant
7	`1234567`	16.3M	Instant
8	`1234567890`	15.8M	Instant
9	`111111`	12.2M	Instant
10	`qwerty123`	12.0M	Instant

Every one of these is cracked instantly. The top 5 password mistakes people make:

Reusing passwords — 80-85% of people reuse passwords across multiple sites. One breach compromises all your accounts.
Using personal information — Names, birthdays, pet names, and addresses are easily found on social media and public records.
Keyboard patterns — “qwerty,” “asdf,” and “zxcv” are among the first combinations attackers try.
Simple substitutions — Replacing “a” with “@” or “e” with “3” (leet speak) is well-known to crackers and adds negligible security.
Incremental changes — Changing “Password1” to “Password2” when forced to rotate. NIST now explicitly recommends against mandatory password rotation.

Frequently Asked Questions

Is this password generator safe to use?

Yes. This generator runs entirely in your browser using JavaScript. No passwords are ever sent to any server. It uses crypto.getRandomValues(), the browser's built-in cryptographically secure random number generator — the same API used by password managers like Bitwarden and 1Password.

What makes a password strong?

A strong password has three properties: length (at least 16 characters, per CISA recommendations), randomness (no dictionary words, names, dates, or patterns), and uniqueness (never reused across accounts). NIST dropped mandatory special character requirements in favor of length, because each additional character exponentially increases brute-force difficulty.

How long should my password be?

NIST now recommends a minimum of 15 characters for single-factor authentication (SP 800-63B Rev. 4). CISA recommends 16 or more characters. For multi-factor authentication, 8 characters is the minimum. The sweet spot for most users is 16-20 characters — long enough to be secure for decades, manageable with a password manager.

What is a passphrase and is it better than a password?

A passphrase is a sequence of 4-7 random, unrelated words (e.g., “correct-horse-battery-staple”). A 5-word random passphrase has roughly 86 bits of entropy — stronger than a 12-character complex password (~79 bits) — while being easier to remember. Passphrases are ideal for master passwords where you need to type from memory. For website accounts, random character passwords stored in a password manager are equally secure and more practical.

How often should I change my passwords?

NIST no longer recommends routine password changes. The updated 2024 guidelines explicitly state organizations “shall not” require periodic password rotation unless there is evidence of compromise. Forced changes led to predictable patterns. Change your password only when you suspect it was compromised, a service reports a data breach, or you have been sharing the password and want to revoke access.

What is password entropy?

Entropy measures password unpredictability in bits. The formula is E = log2(R^L), where R is the character pool size and L is the password length. Each bit doubles the number of possible combinations. Under 35 bits is weak (cracked in minutes), 60-75 bits is strong, 75-100 is very strong, and 100+ bits is excellent. A 16-character password using all character types has about 105 bits of entropy.

What is two-factor authentication (2FA)?

Two-factor authentication requires a second verification step beyond your password — typically a code from an authenticator app, SMS, or a hardware security key. Even if your password is stolen, the attacker cannot access your account without the second factor. Authenticator apps (Google Authenticator, Authy) are more secure than SMS, and hardware keys (YubiKey) are the most secure option. Enable 2FA on email, banking, and social media at minimum.

How are passwords cracked?

Attackers use several methods: Brute force tries every combination (fast for short passwords, impractical for 16+ characters). Dictionary attacks try common words, names, and leaked passwords. Credential stuffing uses stolen username/password pairs from one breach to log into other sites. Rainbow tables use precomputed hash lookups for offline cracking. Phishing tricks you into entering credentials on fake sites. A random 16-character password defeats brute force and dictionary attacks; unique passwords defeat credential stuffing.

Should I use a password manager?

Yes. CISA, NIST, and every major security organization recommends using a password manager. It generates, stores, and auto-fills strong unique passwords for every account — you only remember one master password. This eliminates password reuse, the number one cause of account takeovers. A password generator (like this tool) creates the passwords; a password manager stores them. Popular options include Bitwarden (free/open-source), 1Password, and Dashlane.

Is this tool really free?

Yes, completely free with no limits. No registration, no account required, no restrictions on how many passwords you can generate. The tool runs in your browser with zero server interaction. Use it as much as you need.