Password Generator
Generate a random password. Default length 8. Options: uppercase, numbers, symbols. Copy to clipboard.
Generate a random password. Default length is 8. You can set 4–128. Check or uncheck Uppercase, Numbers, and Symbols to include or exclude character types. Click Generate to create a new password, then Copy result to paste it into your app or password manager. Use longer passwords and a mix of character types for better security.
Loading…
Examples
- Length 8, all options → random 8-char password (default)
- Length 16, symbols only for PIN-style codes
- Copy and paste into your password manager
FAQ
How long should my password be?
At least 8–12 characters for low-risk; 12–14 or more for email and banking. Use a mix of letters, numbers, and symbols.
What characters are used?
Lowercase a–z always. Optionally uppercase A–Z, digits 0–9, and symbols !@#$%^&*()-_=+[]{}|;:,.<>?.
Is the password generated securely?
The generator uses the browser's Math.random(). For high-security use cases, consider a password manager with a cryptographically secure generator.
What is password entropy?
Entropy measures how unpredictable a password is, expressed in bits. A password with N characters from an alphabet of size C has log₂(Cᴺ) bits of entropy. A 12-character password using all character types (95 printable ASCII) has about 79 bits of entropy — effectively uncrackable by brute force.
Why is a longer password better than a complex shorter one?
Length has a bigger impact on entropy than complexity. A random 20-character lowercase password (log₂(26²⁰) ≈ 94 bits) is stronger than a 10-character mixed-case-symbol password (log₂(95¹⁰) ≈ 66 bits). Modern NIST guidelines (2024) prioritize length.
What is a passphrase?
A passphrase is a sequence of random words (e.g. 'correct-horse-battery-staple'). Four to six random common words give 50–78 bits of entropy and are much easier to remember than a random character string of similar strength.
Why should I not reuse passwords?
If one service is breached, attackers use credential-stuffing attacks to try the same password everywhere else. Unique passwords for every account prevent a single breach from cascading. A password manager makes this practical.
What are common weak password patterns to avoid?
Avoid: dictionary words, names, dates (e.g. 'Summer2023!'), keyboard patterns (e.g. 'qwerty', '123456'), and substitutions like 'P@ssw0rd'. These are the first things password-cracking tools try.
What do NIST 2024 password guidelines recommend?
NIST SP 800-63B recommends: minimum 8 characters (15+ preferred), no mandatory complexity rules, no expiration unless compromised, checking against known breached password lists, and supporting long passphrases up to 64 characters.
Should I use two-factor authentication (2FA) with a strong password?
Yes. Even a strong password can be phished or stolen in a database breach. 2FA adds a second factor (app code, hardware key) so the attacker needs both your password and physical access to your device.
How do password managers help?
A password manager stores a unique strong password for every site, so you only remember one master password. Most generate passwords and auto-fill them, eliminating both weak passwords and reuse. Popular options include Bitwarden, 1Password, and KeePass.
What makes a password 'strong' according to modern standards?
Modern standards define a strong password as: at least 12–15 characters, not in a known breach list, not a predictable pattern, and unique to that account. Complexity rules (mixed case, symbols) are less important than length and uniqueness.