Password Generator
Choose a length and character sets, then copy the result.
Security tool
Custom random passwords with instant copy support.
Choose a length and character sets, then copy the result.
Continue with useful tools for nearby tasks.
Drag the Length slider, or type an exact number in the Custom length box, to set how many characters you want, anywhere from 8 to 64. Use the four checkboxes to include lowercase, uppercase, numbers, and symbols; keeping all four on gives the strongest result. Press Generate to draw a fresh random password, then press Copy to put it on your clipboard and paste it into the signup form or your password manager. Each press of Generate produces a completely new password, so keep tapping it until you get one you are happy to save.
Password strength is measured in entropy, expressed in bits, and it depends on two things: how long the password is and how many different characters each position could hold. The size of the character pool is the variety (26 lowercase, plus 26 uppercase, plus 10 digits, plus roughly 30 symbols equals about 94 possibilities), and the length is how many times you draw from that pool. Total combinations equal the pool size raised to the power of the length, so every extra character multiplies the difficulty for an attacker. A higher entropy figure means an attacker must try astronomically more guesses, which is exactly what keeps a brute-force attack from ever finishing.
The table below assumes the full 94-character pool and a fast offline attacker testing about 100 billion guesses per second against a poorly protected hash. Real numbers vary with the hashing algorithm, but the pattern is what matters: each added character roughly multiplies the cracking time by 94.
| Length | Approx. combinations | Time to crack |
|---|---|---|
| 8 | 6.1 x 10^15 | About 17 hours |
| 10 | 5.4 x 10^19 | About 17 years |
| 12 | 4.8 x 10^23 | About 150,000 years |
| 16 | 3.7 x 10^31 | Trillions of years |
| 20 | 2.9 x 10^39 | Far beyond the age of the universe |
Notice how the jump from 8 to 16 characters turns hours into geological time. Length is the single biggest lever you control.
Suppose you generate a 12-character password using all four sets, a pool of 94 characters. The number of possible passwords is 94^12, which is roughly 4.8 x 10^23, about 79 bits of entropy. Drop the symbols and digits to use letters only and the pool shrinks to 52, giving 52^12 or about 3.9 x 10^20, a thousand times weaker. Keep the full pool but add four more characters to reach length 16 and you arrive at 94^16, roughly 3.7 x 10^31 combinations. That is why this tool defaults to 16 characters with every set enabled.
People are predictable: left to invent passwords by hand, most of us lean on names, dates, and keyboard patterns that attackers guess first. A generator removes that bias by drawing every character at random, so the result carries the full entropy its length and character sets allow. Pairing it with a password manager lets you give every account its own long, unguessable password without ever needing to memorize one, which closes the door on both brute-force attacks and credential stuffing from old data breaches.
Everything runs locally in your browser using the operating system's cryptographically secure random number generator, the same source used to create encryption keys, so the randomness is genuine and not a predictable pseudo-random shortcut. Nothing you generate is uploaded, logged, or stored on any server; the password lives only in the page until you copy it and vanishes when you close the tab. For that reason, paste each password straight into a trusted manager rather than emailing it to yourself or saving it in a plain text file.
Strength comes from entropy, which is the length of the password multiplied by the variety of characters it can contain. A long password drawn at random from lowercase, uppercase, numbers, and symbols has so many possible combinations that guessing it by brute force becomes impractical. Predictable patterns such as dictionary words, names, or dates lower the real strength even when the password looks complex, because attackers try those patterns first.
Length wins. Each additional character multiplies the number of possible passwords, so adding length raises entropy faster than expanding the character set. Symbols and mixed case help, but a 20-character password using only letters is far harder to crack than an 8-character password that uses every symbol on the keyboard. Aim for 16 characters or more whenever a site allows it, and add the other character sets on top.
When one site is breached, attackers take the leaked email and password pairs and try them automatically on banks, email, and shopping sites in an attack called credential stuffing. A unique password for every account means a single breach cannot unlock anything else you own. This habit matters even more than raw complexity, because a reused password is only as safe as the weakest site that holds it.
If you use long unique passwords everywhere, no human can remember them all, so a password manager is the practical answer. It stores every credential in an encrypted vault unlocked by one strong master password, fills them in automatically, and warns you about reused or breached entries. Generate the password here, then paste it straight into your manager so you never have to type or memorize it.
Yes. Passwords are produced in your browser using the operating system's cryptographically secure random number generator, the same class of randomness used for encryption keys. Nothing is sent to a server, logged, or stored, so the password exists only on your screen until you copy it. Close the tab and it is gone, which is why you should save it in a manager before navigating away.