Advertisement

🔐 Password Generator

Generate secure random passwords with length, character sets, and entropy strength indicator.

Cryptographically Random Passwords — Length and Charset

BrainyCalculators editorial insight — unique to this tool

16+ characters with mixed case, numbers, symbols resist brute force — 12-char lowercase only falls in hours on GPU crackers. NIST SP 800-63B favors long passphrases over forced rotation. Never reuse banking passwords; manager storage recommended.

When to use this calculator

Use to generate strong unique passwords locally in browser. Not for OTP or PIN banking codes with bank-specific rules.

Hashing existing text for checksums?

This page creates random passwords. For SHA/MD5 digests of input text, use the Hash Generator →

16
864
Password Strength
Entropy: bits

What is a Password Generator?

A password generator creates random strings from selected character classes with configurable length for account credentials. Entropy hints reflect guess resistance.

Use this page to create new secrets. Hash generator digests existing text with SHA/MD5 for checksums — it does not invent passwords.

Store generated passwords in a manager; do not reuse across sites.

How Password Strength Is Measured

Strength is measured by entropy bits: the number of bits required to represent all possible passwords of this length and character set.

Entropy = length × log₂(charset size)
e.g., 16 chars, all sets (95 chars) = 16 × 6.57 ≈ 105 bits (Very Strong)
Weak
< 40 bits
Fair
40–59 bits
Good
60–79 bits
Strong
80–99 bits
Very Strong
≥ 100 bits

How to Use the Password Generator

  1. 1
    Set Your Length
    Drag the slider to choose between 8 and 64 characters. Longer passwords are exponentially harder to crack.
  2. 2
    Choose Character Sets
    Enable or disable uppercase, lowercase, numbers, and symbols. At least one must be selected.
  3. 3
    Generate & Check Strength
    Click "Generate Password" to create a new password. The strength meter shows entropy in bits.
  4. 4
    Copy to Clipboard
    Click "Copy" to instantly copy the password. The button confirms with "Copied!" feedback.
  5. 5
    Generate Multiple
    Click "Generate 5" to create a batch of 5 passwords at once — each with its own copy button.

How the Password Generator Works

Formula, assumptions, and calculation steps for this daily life tool.

Methodology

Daily-life calculators turn common date, time, budget, and household inputs into quick practical estimates.

Calculation Steps

  1. Enter the everyday values requested by the form.
  2. Normalize dates, times, currency, or quantities as needed.
  3. Apply the simple arithmetic or calendar rule.
  4. Show the result in a format that is easy to act on.

Assumptions and Limits

  • Local rules, time zones, and rounding choices may affect real-world results.
  • The calculator uses the values entered and does not verify external schedules.
  • Use results as a planning aid.

Frequently Asked Questions

A strong password has high entropy — achieved through length and character variety. At minimum, aim for 12+ characters mixing uppercase, lowercase, numbers, and symbols. Avoid dictionary words, names, or predictable patterns. Our generator uses cryptographic randomness (crypto.getRandomValues) for maximum unpredictability.

For most accounts, 16 characters is sufficient. For highly sensitive accounts (banking, email, password manager master password), use 20+ characters. A 16-character password with all character sets has over 100 bits of entropy — computationally infeasible to brute-force.

Yes — absolutely. A password manager lets you use a unique, strong password for every service without needing to remember them. You only need to remember one strong master password. Popular options include Bitwarden (free, open-source), 1Password, and Dashlane.

Yes. Passwords are generated entirely in your browser using the Web Crypto API (crypto.getRandomValues). No passwords are transmitted to any server, stored in databases, or logged. The session history is only kept in JavaScript memory and clears when you close the tab.

If one service is breached and you reuse that password, attackers use credential stuffing to try it on other sites automatically. Using unique passwords for every account means a single breach cannot cascade into others.

Real-World Applications

🔐
New Account Registration
Generate a unique, random password every time you create a new online account — eliminating password reuse across sites, the primary vector for credential stuffing attacks after data breaches.
🏢
IT Administrator Account Creation
System administrators generate random temporary passwords for new employee accounts — combining length and character complexity to meet corporate password policy requirements (minimum 14 chars, mixed types).
💾
Database and API Key Generation
Generate random, high-entropy strings for database passwords, API keys, and application secrets — ensuring service credentials are not based on dictionary words or predictable patterns.
🛡️
Password Policy Compliance
Security teams use random password generators to demonstrate NIST SP 800-63B compliance — showing that critical system passwords meet length and entropy requirements for regulatory audits.
🔄
Periodic Password Rotation
Some organisations require periodic password rotation for privileged accounts. A random generator ensures each rotation produces a genuinely new, unpredictable credential rather than an incremental modification of the old one.
🧑‍💻
Developer Environment Secrets
Generate random passwords for local development environment services (databases, test accounts, local admin) — keeping development credentials separate and random rather than using well-known defaults like "admin" or "password".

Common Mistakes

1
Choosing passwords that are random but short
A random 6-character password has only ~37 bits of entropy against a full ASCII character set — crackable in under a second with modern GPU-based attacks. Length is the primary driver of security: always use at least 14–16 characters for web accounts.
2
Reusing the same generated password across multiple sites
A strong random password becomes a liability if used on multiple sites. One breach at any site exposes the credential everywhere it is reused — this is credential stuffing. Use a different password for every account, stored in a password manager.
3
Writing passwords down in plaintext
A 20-character random password written on a sticky note provides zero security. Store passwords exclusively in an encrypted password manager (Bitwarden, 1Password, KeePass). The manager is protected by one strong master passphrase — the only one you need to remember.
4
Using a weak password for the password manager master passphrase
If the master passphrase protecting your password manager is weak or reused, all stored passwords are compromised by a single breach. Use a long passphrase of 4–6 random words (diceware method) for the master — both memorable and extremely high entropy.
5
Not enabling 2FA after setting a strong password
Even a 20-character random password can be captured by phishing or keyloggers. Two-factor authentication (2FA) — particularly TOTP app-based 2FA or a hardware security key — provides a second layer that remains effective even when the password is compromised.

Password Entropy Quick Reference

Length Character Set Entropy (bits)
8 chars Lowercase only (26) ~37.6 bits — weak
8 chars Mixed case + digits (62) ~47.6 bits — weak
12 chars Full ASCII (94) ~78.7 bits — acceptable
16 chars Full ASCII (94) ~104.9 bits — strong
20 chars Full ASCII (94) ~131.1 bits — very strong
6 random words Diceware (7,776 words) ~77.5 bits — strong passphrase

References

  1. NIST. Digital Identity Guidelines (SP 800-63B) — Memorized Secret Authenticators. nist.gov, 2017.
  2. Florencio, D. and Herley, C. "A Large-Scale Study of Web Password Habits." WWW Conference, 2007.
  3. Bonneau, J. et al. "The Quest to Replace Passwords." IEEE Symposium on Security & Privacy, 2012.
  4. Schneier, B. Secrets & Lies: Digital Security in a Networked World. Wiley, 2004.
  5. Electronic Frontier Foundation. Diceware Passphrase Generation. eff.org, 2024.