Security

Password Generator

Random-character passwords or word passphrases with an honest entropy meter and a time-to-crack table — generated in your browser with cryptographic randomness, never stored or sent anywhere.

Loading tool…

Features

Two modes: random characters (8–64 long) and passphrases (3–8 words from a built-in 300-word list)

Lowercase, uppercase, digit and symbol toggles, with at least one of every selected set guaranteed

Option to exclude look-alike characters (0 O 1 l I |)

Honest entropy meter: bits computed from the actual pool, including the at-least-one-of-each constraint

Time-to-crack table for online (100 guesses/sec) and offline GPU (10 billion guesses/sec) attacks

Bulk generation of 10 at once; runs 100% in your browser on crypto.getRandomValues

How to Use

1

Choose random characters or passphrase mode

2

Set the length or word count and toggle character sets

3

Read the entropy meter and the crack-time table

4

Click Generate New until you like the result, or Generate 10 for a batch

5

Copy with one click — nothing is stored or sent

Use Cases

Passwords for throwaway accounts
Test account credentials
Burner logins paired with a temp email
Comparing password vs passphrase strength
Security demonstrations with real math

Frequently Asked Questions

Are online password generators safe to use?
Only if generation happens in your browser with a cryptographic source. This one uses crypto.getRandomValues (a CSPRNG) with rejection sampling so there is no statistical bias, runs entirely client-side, and the password never leaves the page. Avoid any generator that produces passwords on a server.
How long should a password be in 2026?
16 random characters is a sound default: over the full 88-character pool that is roughly 103 bits, which works out to trillions of years against a 10-billion-guess-per-second GPU rig. By contrast, 8 lowercase-only characters (~38 bits) fall in seconds offline. Length beats cleverness.
Password vs passphrase — which is stronger and easier to remember?
Per character, random passwords win; per memorable unit, passphrases win. The math depends on list size: each word from this tool's 300-word list adds about 8.2 bits, so 5 words plus a number is roughly 48 bits — fine for low-stakes accounts, but use more words or random characters for anything important. Capitalization and separators add nothing; only word count does.
What does the strength meter and time-to-crack estimate actually mean?
The meter is pure entropy — the number of equally likely outputs your settings allow, assuming the attacker knows those exact settings. Bands: under 40 bits Weak, 40–59 Fair, 60–89 Good, 90+ Strong. The table shows the average time to search half that space; the offline row models a fast unsalted hash, and a slow hash like bcrypt or Argon2 cuts attacker throughput by a factor of a million or more.
Should I use a generated password without a password manager to store it?
For a throwaway account paired with a temporary email, yes — let them expire together and never think about either again. For anything you will log into twice, store the password in a manager. This tool deliberately keeps no history: a list of generated passwords in your browser would be a liability, not a feature.

Need a Temporary Email?

Get your free temporary email address to use with this tool.