Password Generator
Random-character passwords or word passphrases with an honest entropy meter and a time-to-crack table — generated in your browser with cryptographic randomness, never stored or sent anywhere.
Features
Two modes: random characters (8–64 long) and passphrases (3–8 words from a built-in 300-word list)
Lowercase, uppercase, digit and symbol toggles, with at least one of every selected set guaranteed
Option to exclude look-alike characters (0 O 1 l I |)
Honest entropy meter: bits computed from the actual pool, including the at-least-one-of-each constraint
Time-to-crack table for online (100 guesses/sec) and offline GPU (10 billion guesses/sec) attacks
Bulk generation of 10 at once; runs 100% in your browser on crypto.getRandomValues
How to Use
Choose random characters or passphrase mode
Set the length or word count and toggle character sets
Read the entropy meter and the crack-time table
Click Generate New until you like the result, or Generate 10 for a batch
Copy with one click — nothing is stored or sent
Use Cases
Frequently Asked Questions
- Are online password generators safe to use?
- Only if generation happens in your browser with a cryptographic source. This one uses crypto.getRandomValues (a CSPRNG) with rejection sampling so there is no statistical bias, runs entirely client-side, and the password never leaves the page. Avoid any generator that produces passwords on a server.
- How long should a password be in 2026?
- 16 random characters is a sound default: over the full 88-character pool that is roughly 103 bits, which works out to trillions of years against a 10-billion-guess-per-second GPU rig. By contrast, 8 lowercase-only characters (~38 bits) fall in seconds offline. Length beats cleverness.
- Password vs passphrase — which is stronger and easier to remember?
- Per character, random passwords win; per memorable unit, passphrases win. The math depends on list size: each word from this tool's 300-word list adds about 8.2 bits, so 5 words plus a number is roughly 48 bits — fine for low-stakes accounts, but use more words or random characters for anything important. Capitalization and separators add nothing; only word count does.
- What does the strength meter and time-to-crack estimate actually mean?
- The meter is pure entropy — the number of equally likely outputs your settings allow, assuming the attacker knows those exact settings. Bands: under 40 bits Weak, 40–59 Fair, 60–89 Good, 90+ Strong. The table shows the average time to search half that space; the offline row models a fast unsalted hash, and a slow hash like bcrypt or Argon2 cuts attacker throughput by a factor of a million or more.
- Should I use a generated password without a password manager to store it?
- For a throwaway account paired with a temporary email, yes — let them expire together and never think about either again. For anything you will log into twice, store the password in a manager. This tool deliberately keeps no history: a list of generated passwords in your browser would be a liability, not a feature.
Related Tools
Username Generator
Twenty fresh usernames per click across five styles — casual, professional, gamer, aesthetic and pronounceable — generated locally from your browser's cryptographic random source.
Email Address Generator
Create a real temporary email address with a working inbox behind it — minted through the same system as the TempMailSpot homepage. Watch messages arrive right on this page, then let the address expire on its own.
Email Validator
Check any address with real checks: strict syntax validation, a live DNS MX lookup, disposable-domain and role-account detection, and typo suggestions — one address at a time or up to 100 in bulk.
Need a Temporary Email?
Get your free temporary email address to use with this tool.