Password Generator

What makes a password strong

Password strength is really about one thing: the number of guesses an attacker would need to try. This is measured in bits of entropy. Each bit doubles the work factor. A 40-bit password takes a modern attacker a few hours to brute-force; a 60-bit password takes decades; an 80-bit password is effectively unbreakable. Entropy comes from two sources: length and the size of the character pool. Length is by far the more powerful lever — a longer password of only lowercase letters can be much stronger than a short password with every symbol.

How this generator is secure

Every password is generated using crypto.getRandomValues — the browser's cryptographic random number generator, backed by the operating system. This is the same source used for TLS session keys. Math.random, by contrast, is not cryptographic and should never be used to generate secrets. No password is ever sent over the network, stored, or logged.

Recommended settings

• For a master password (password manager, email): 20+ characters with all types enabled. Memorable alternative: a five-word passphrase like "correct horse battery staple donkey".
• For a site password managed by a password manager: 20–32 characters, all types. The manager remembers it, so length is free.
• For a system that rejects symbols: 30+ characters of letters and digits to compensate.
• For read-aloud scenarios: enable "Exclude ambiguous" to drop 0/O, 1/l/I, and other confusables.

How the strength meter works

The meter calculates entropy as log2(pool^length), where pool is the size of the character set used. "Weak" is under 40 bits, "Fair" is 40–60, "Strong" is 60–80, "Excellent" is 80+. These thresholds align with NIST SP 800-63B guidance on memorised secrets.