Password generator: strong passwords made in your browser
Password generator with entropy explained. Length and charset size determine the bits, and the bits drive the strength label. Weak-password alert with one-click fix. Local, no account.
A strong password is not the one with the most symbols, it is the one with the most random bits. The generator below shows those bits live: length, charset size, log₂, entropy bits, strength label. Each step is a chip, and the calculation stays visible.
Password strength explained
Cracking time: practically uncrackable
Bits are slightly below length × log₂(charset) because every enabled class must appear at least once. Cracking time is an estimate against offline brute force.
+N = contribution to charset size
What is entropy and why does it matter?
Entropy is the unit of randomness. For a password, it tells you how many guesses an attacker needs on average to hit yours. A 6-digit PIN has 10⁶ ≈ 1 million possibilities, around 20 bits. This tool's standard setup has 74 possible characters. A random 16-character password from that pool reaches about 99 bits. Compared with a PIN, that is a huge gap.
The cascade above lays the math bare: length or word count on the left, charset size or wordlist size next to it, log₂ per element, total bits, then the strength bucket. The base formula is bits = length × log₂(charset size). With several active character classes, the tool trims the total slightly because each class must appear at least once.
What length and which character classes are enough?
Rule of thumb: 16 random characters. In this tool's standard setup with all four classes enabled, that lands around 99 bits of entropy and in the "strong" bucket. The weak-password alert disappears at 60 bits, and in practice extra length usually helps faster than another class.
| Setup | Charset size | Length | Bits | Strength |
|---|---|---|---|---|
| Lowercase only, 8 chars | 26 | 8 | ~38 | weak |
| Lower + upper + digits, 12 chars | 62 | 12 | ~71 | good |
| All four classes, 16 chars | 74 | 16 | ~99 | strong |
| All four classes, 20 chars | 74 | 20 | ~124 | strong |
Symbols without length buy little: a 10-character password from the full 74-character pool is weaker than a 14-character password without symbols from a 62-character pool. Length is usually the cheaper lever.
Password or passphrase?
The mode toggle above swaps between random characters and several words from a wordlist. Both lean on the same generator (crypto.getRandomValues), but they differ in charset:
- Password: each element is a character from the currently enabled pool. High bits per element, low memorability.
- Passphrase: each element is a word from a curated 1296-word list derived from EFF Short Wordlist 1 (log₂(1296) ≈ 10.3 bits per word). Fewer bits per element, but easier to remember.
A 4-word passphrase carries about 41 bits - weaker than a random 8-character password in this tool's standard setup at roughly 49 bits. For 60+ bits you need at least 6 words (≈ 62 bits), or you switch to password mode where typing is not required, such as in a password manager.
When does the weak-password warning fire?
The warning above the entropy cascade fires when the estimate stays below 60 bits. The tool checks nothing else. Three common ways to get there:
- Too short in password mode. Eight characters from the standard setup yield about 49 bits and stay below the warning line.
- Too small a character pool. If you shorten the password and also switch classes off, the estimate drops below 60 quickly.
- Too few words in passphrase mode. Four words from the 1296-word list reach only about 41 bits. Six words lift the estimate to roughly 62 bits.
In password mode, the card can offer up to three fixes depending on your settings: extend length to 16, enable symbols, enable more classes. In passphrase mode, there is one fix: increase to 6 words.
Frequently Asked Questions
How long should a secure password be?
At least 12 characters, ideally 16. In this tool's standard setup, a random 16-character password reaches about 99 bits of entropy. The weak-password alert disappears at 60 bits.
What does entropy mean for passwords?
Entropy measures how many guesses an attacker needs on average to land on a random password. 40 bits means about 2⁴⁰ ≈ 1 trillion possibilities, and 60 bits about 1 quintillion. The cascade shows the base formula bits = length × log₂(charset size) and then trims a little when several active classes must all appear at least once.
Are passphrases safer than random passwords?
Not automatically. A 4-word passphrase from a 1296-word list has roughly 41 bits of entropy, so it stays below a random 8-character password in this tool's standard setup at about 49 bits. For 60+ bits you need at least 6 words here.
How long does it take to crack a 16-character password?
A random 16-character password from this tool's standard setup carries around 99 bits of entropy. In the tool's rough model at 10¹⁰ guesses per second, that is far beyond practical brute-force timeframes.