How long should a strong password be?

Security experts recommend at least 16 characters for most accounts and 20+ for high-value ones. At 16 characters using uppercase, lowercase, digits, and symbols, the search space exceeds 2^100 bits of entropy, making brute-force attacks infeasible.

What does the entropy number mean?

Entropy measures unpredictability in bits. It is calculated as character-set-size log₂ × length. Higher bits mean more possible combinations — 80 bits is considered strong, 100+ is excellent for modern threat models.

Is this password generator truly random?

Yes. It uses crypto.getRandomValues(), the browser's cryptographically secure random number generator. This is the same API used by TLS and cryptographic libraries — far more secure than Math.random().

Does this generator store or send my passwords?

No. The entire generation runs locally in your browser. No data is sent to any server. You can confirm by running the tool offline — it works without a network connection.

What character sets should I include?

For maximum strength, enable all four: uppercase (A–Z), lowercase (a–z), numbers (0–9), and symbols (!@#$…). If a site restricts symbols, uncheck them — the tool recalculates entropy automatically so you still know your password's strength.

What is NIST's guidance on password length and complexity?

NIST SP 800-63B recommends allowing passwords up to 64 characters and focusing on length over mandatory complexity rules. Longer passwords with a mix of character types are preferred — the guidelines explicitly discourage forcing periodic rotation unless a breach is known.

Password Generator

Generate strong random passwords with custom length and character sets. Client-side only.

Generate a strong random password instantly — set length from 8 to 128 characters, toggle uppercase, lowercase, numbers, and symbols, then copy with one click. Entropy is calculated in real time so you know exactly how secure the password is. All generation runs in your browser via crypto.getRandomValues(), with zero data sent anywhere.

103 bits — Excellent

How to generate a strong password

1
Set the password length
Use the length slider to choose between 8 and 128 characters. NIST SP 800-63B recommends at least 16 characters for most accounts — the entropy display updates in real time so you can see the impact.
2
Select character sets
Toggle uppercase (A–Z), lowercase (a–z), numbers (0–9), and symbols (!@#$…). Enabling all four maximises entropy. If a site disallows symbols, uncheck them — the tool recalculates automatically.
3
Click Generate
A new cryptographically random password is produced using crypto.getRandomValues(). Each click creates a fresh result — no previous password is retained anywhere.
4
Copy the password
Click the Copy button to put the password on your clipboard. Paste it directly into your password manager or the target site — never type it manually to avoid transcription errors.

Password Generator FAQ

How long should a strong password be?: Security experts recommend at least 16 characters for most accounts and 20+ for high-value ones. At 16 characters using uppercase, lowercase, digits, and symbols, the search space exceeds 2^100 bits of entropy, making brute-force attacks infeasible.
What does the entropy number mean?: Entropy measures unpredictability in bits. It is calculated as character-set-size log₂ × length. Higher bits mean more possible combinations — 80 bits is considered strong, 100+ is excellent for modern threat models.
Is this password generator truly random?: Yes. It uses crypto.getRandomValues(), the browser's cryptographically secure random number generator. This is the same API used by TLS and cryptographic libraries — far more secure than Math.random().
Does this generator store or send my passwords?: No. The entire generation runs locally in your browser. No data is sent to any server. You can confirm by running the tool offline — it works without a network connection.
What character sets should I include?: For maximum strength, enable all four: uppercase (A–Z), lowercase (a–z), numbers (0–9), and symbols (!@#$…). If a site restricts symbols, uncheck them — the tool recalculates entropy automatically so you still know your password's strength.
What is NIST's guidance on password length and complexity?: NIST SP 800-63B recommends allowing passwords up to 64 characters and focusing on length over mandatory complexity rules. Longer passwords with a mix of character types are preferred — the guidelines explicitly discourage forcing periodic rotation unless a breach is known.

References

NIST SP 800-63B Digital Identity Guidelines (Authentication)
The US federal standard covering password length, complexity, and storage requirements. Recommends at least 8 characters (preferably longer) and deprecates mandatory rotation policies.
OWASP Password Storage Cheat Sheet
Practical guidance on password hashing algorithms (Argon2id, bcrypt, scrypt) and work factors — essential when storing passwords server-side.
MDN — Crypto.getRandomValues()
Browser API that fills a typed array with cryptographically strong random values — the underlying source of randomness used by this generator.

Related developer tools

UUID Generator

Generate UUID v4 or v7 identifiers in bulk — useful for unique session tokens or database primary keys.

Hash Generator

Compute MD5, SHA-1, SHA-256, or SHA-512 hashes from any text. Useful for checksums and verifying password hash output.

JWT Decoder

Decode a JWT token and inspect its header, payload, and signature — handy when testing authentication flows.