Generate strong, cryptographically secure passwords and passphrases. Everything runs locally in your browser.
Generate WPA2-friendly passwords using printable ASCII characters (max 63 characters).
A strong password should be at least 12-16 characters long. Longer passwords are exponentially harder to crack -- each additional character multiplies the number of possible combinations. For high-security accounts, consider 20+ characters or use a passphrase of 4-6 random words.
A strong password combines length, randomness, and character variety. It should include uppercase letters, lowercase letters, numbers, and symbols. Most importantly, it must be randomly generated -- not based on personal information, dictionary words, or common patterns.
Yes, reputable password generators that use cryptographically secure random number generators are safe. This tool runs entirely in your browser -- no passwords are sent to any server. Generated passwords exist only in your browser's memory and are never stored or transmitted.
Generating strong passwords is only half the battle -- you need a secure way to store them. These password managers are trusted by millions.
Best overall password manager with an excellent family plan, travel mode, and Watchtower breach alerts. Try Free
Best free option. Open source, audited, and available on every platform. Premium is just $10/year. Try Free
Built-in VPN, dark web monitoring, and automatic password changer for supported sites. Try Free
We may earn a commission from some of these links.
This tool generates cryptographically secure passwords and passphrases directly in your browser. It is designed for anyone who needs strong credentials -- from everyday users creating account passwords to system administrators generating API keys and WiFi passwords. Everything runs locally, so your passwords are never transmitted or stored.
On the Random Password tab, set your desired length using the slider (16 characters or more is recommended), select which character types to include, and click Generate. For maximum strength, keep all four character types enabled: uppercase, lowercase, numbers, and symbols. If a service restricts certain characters, use the Custom Symbols field to define exactly which special characters are allowed.
Entropy measures how unpredictable a password is, expressed in bits. Each bit of entropy doubles the number of possible passwords an attacker must try. A 12-character password using all character types has roughly 79 bits of entropy, which would take modern hardware billions of years to brute-force. The Strength Check tab shows you the estimated entropy and crack time for any password you enter or paste.
Adding more characters to your password increases entropy far more than adding character types. A 20-character lowercase-only password (94 bits of entropy) is actually stronger than a 10-character password using all character types (66 bits). This is why modern security guidance emphasizes length over complexity rules. When a site forces you to include a symbol and a number, those rules matter less than overall length.
The Passphrase tab generates passwords made of random dictionary words separated by hyphens, spaces, or numbers. A four-word passphrase like "correct-horse-battery-staple" is much easier to type and remember than a random string but still provides strong entropy (roughly 51 bits for four words from a 7,776-word list). For high-security accounts, use five or six words. Passphrases are especially useful for master passwords that you need to type from memory.
Generating strong passwords only helps if you do not reuse them across sites. A password manager stores all your credentials behind one master password, auto-fills login forms, and alerts you to breaches. Every security expert recommends using one. The tool below this section links to several trusted options.
Yes. It uses the Web Crypto API (window.crypto.getRandomValues), which provides cryptographically secure random numbers sourced from your operating system's entropy pool. This is the same randomness source used by TLS, SSH key generation, and other security-critical applications.
Attackers try dictionary words, names, dates, keyboard walks (qwerty, 123456), and common substitutions (p@ssw0rd) first. Any password based on personal information -- pet names, birthdays, addresses -- is vulnerable to targeted attacks. The only reliable defense is true randomness, which is why generated passwords are far stronger than human-chosen ones.
WPA2 passwords can be 8-63 characters. A minimum of 16 characters is recommended because WiFi passwords are vulnerable to offline brute-force attacks (an attacker captures the handshake and cracks it on their own hardware). The WiFi Password tab generates WPA2-compatible passwords using only printable ASCII characters.
Current security guidance from NIST says no -- you should change a password only if you suspect it has been compromised. Forced rotation leads people to use weaker, predictable patterns (Password1, Password2, etc.). Use unique, strong passwords and monitor for breaches instead.
Use the Custom Symbols field and the length slider to generate a password that fits within the site's constraints. If a site caps passwords at 16 characters, that is a red flag about their security practices, but you should still generate the strongest password possible within their limits.