Secure Password Generator
Generate cryptographically secure passwords, passphrases, and pronounceable passwords. Optional breach checks use Have I Been Pwned with a hash-prefix lookup.
A strong password should be at least 12 characters with mixed case, numbers, and symbols. Passphrases with 5+ words offer similar security while being easier to remember.
Generate passwords in your browser. Breach checks send only a SHA-1 hash prefix to Have I Been Pwned.
How Password Security Works
Password security is fundamentally about entropy, the measure of randomness and unpredictability in a password. The more entropy a password has, the more guesses an attacker needs to crack it. Entropy is measured in bits: each additional bit doubles the number of possible combinations.
Modern password cracking uses specialised hardware, a single high-end GPU can test billions of password hashes per second. This means short or predictable passwords can be broken in seconds, regardless of how "clever" they seem. True security comes from cryptographically random generation, not human creativity.
Our generator uses the Web Crypto API (crypto.getRandomValues()), a cryptographically secure pseudorandom number generator (CSPRNG) built into every modern browser. This provides the same quality of randomness used in TLS encryption and digital signatures.
Password Entropy & Estimated Crack Times
The table below shows how entropy translates to real-world cracking resistance. Times assume an offline attack at 10 billion guesses per second, a realistic throughput for fast, unsalted hashes such as MD5 or NTLM cracked on a multi-GPU rig. This is the pessimistic case: it models an attacker who obtained a weakly-hashed password database. Slow, salted algorithms (bcrypt, scrypt, Argon2) reduce attack throughput by a factor of thousands to millions, so real-world resistance for properly protected accounts is far higher.
| Entropy (bits) | Example | Combinations | Time to Crack | Rating |
|---|---|---|---|---|
| 28 | password1 | 268 million | Less than 1 second | Terrible |
| 40 | Tr0ub4d0r | 1 trillion | ~2 minutes | Weak |
| 60 | kX9#mPw2vL | 1.15 × 10¹⁸ | ~3.6 years | Fair |
| 80 | correct-horse-battery | 1.21 × 10²⁴ | ~3.8 million years | Strong |
| 100 | dR4$kLm9!pQw2xZn | 1.27 × 10³⁰ | ~4 trillion years | Excellent |
| 128+ | plumb-tiger-canyon-frost-oak-breeze | 3.4 × 10³⁸+ | Heat death of universe | Maximum |
Understanding the Three Generation Modes
Random Passwords
Random passwords draw from a pool of characters (uppercase, lowercase, digits, symbols) with equal probability. A 16-character password using all four character types (95 possible characters) provides about 105 bits of entropy, well beyond what's needed for any online service.
Best for: accounts protected by a password manager, API keys, database credentials, and any situation where you don't need to type the password manually.
Passphrases (Diceware)
Passphrases use randomly selected words from the EFF Long Wordlist (7,776 words). Each word adds approximately 12.9 bits of entropy. A 6-word passphrase provides ~77 bits of entropy, comparable to a 12-character random password but far easier to memorise.
Best for: master passwords for password managers, full-disk encryption keys, WiFi passwords, and any password you need to remember and type regularly.
Pronounceable Passwords
Pronounceable passwords use alternating consonant-vowel patterns (e.g., "KobuTaFe") to create words that feel natural but don't exist in any dictionary. They're easier to type than random strings but have lower entropy per character than fully random passwords.
Best for: temporary passwords, shared WiFi codes, situations where you need to read a password aloud or type it on a mobile device.
Common Password Mistakes
Using personal information
Names, birthdays, pet names, and postcodes are easily discovered through social media. Attackers build targeted wordlists from public profiles.
Simple substitutions (P@ssw0rd)
Replacing 'a' with '@' or 'o' with '0' is well-known. Cracking tools include these substitution rules by default and test them in milliseconds.
Reusing passwords across sites
When one site is breached, attackers try those credentials everywhere else. Credential stuffing attacks are automated and affect millions of accounts.
Adding a number at the end
Appending '1' or '123' to a weak password adds negligible entropy. Cracking dictionaries include these common suffixes.
Keyboard patterns (qwerty, 123456)
Keyboard walks and sequential patterns are among the first combinations tested. They provide virtually zero security despite appearing random.
Using the same password with slight variations
Changing 'Password2023' to 'Password2024' is trivially guessable. If one version is compromised, all variations are at risk.
How the Breach Check Works
Our breach check uses the Have I Been Pwned (HIBP) Pwned Passwords API with a privacy technique called k-Anonymity. Here's how it protects your password:
- Your password is hashed locally using SHA-1 (this never leaves your browser)
- Only the first 5 characters of the hash are sent to the HIBP API
- The API returns all known breached hashes starting with those 5 characters (~500 results)
- Your browser checks whether the full hash appears in the returned list
The HIBP server never sees your full password or its complete hash. Even if the connection were intercepted, an attacker would only see a hash prefix shared by hundreds of different passwords.
Password Length Recommendations by Use Case
| Use Case | Minimum Length | Recommended | Type |
|---|---|---|---|
| Social media accounts | 12 characters | 16 characters | Random |
| Email accounts | 14 characters | 20+ characters | Random or passphrase |
| Password manager master | 5 words | 6-7 words | Passphrase |
| Banking & finance | 16 characters | 20+ characters | Random |
| WiFi password | 4 words | 5-6 words | Passphrase |
| Disk encryption | 6 words | 7-8 words | Passphrase |
| API keys & secrets | 32 characters | 64 characters | Random |
Why You Need a Password Manager
The average person has over 100 online accounts. Remembering a unique, strong password for each is impossible without help. A password manager solves this by storing all your credentials in an encrypted vault, protected by a single master password.
The ideal workflow: use our passphrase generator to create a strong, memorable master password (6+ words). Then use our random password generator for every individual account, storing them in your password manager. This gives you maximum security with minimum effort.
Popular password managers include Bitwarden (open source), 1Password, and KeePass (offline). All of these support auto-fill, cross-device sync, and breach monitoring. The important thing is to use one, any reputable password manager is vastly better than reusing passwords.
Beyond Passwords: Two-Factor Authentication
Even the strongest password can be compromised through phishing, keyloggers, or server breaches. Two-factor authentication (2FA) adds a second layer of verification, typically a time-based code from an authenticator app, a hardware security key, or a biometric check.
Recommended 2FA methods (strongest to weakest): hardware security keys (YubiKey, Titan), authenticator apps (Authy, Google Authenticator), push notifications, and SMS codes. Avoid SMS-based 2FA when possible, as it's vulnerable to SIM-swapping attacks.
Related Security Tools
Hash Generator
Generate SHA-256, MD5, and other cryptographic hashes
Base64 Encoder
Encode and decode Base64 strings
JWT Decoder
Decode and inspect JSON Web Tokens
UUID Generator
Generate unique identifiers for databases and APIs
QR Code Generator
Create QR codes for sharing passwords securely
ROT13 Encoder
Simple letter substitution cipher for text
Passphrase wordlist: EFF Long Wordlist (CC BY 3.0)
Methodology and sources
Formula or method
Random mode draws bytes from the Web Crypto API (crypto.getRandomValues), a cryptographically secure generator, and maps them onto your chosen character set; strength is reported as entropy in bits = length × log2(character-set size). Passphrase mode selects words at random from the EFF Long Wordlist; pronounceable mode alternates consonants and vowels (lower entropy by design, in exchange for being easy to type).
Basis and assumptions
- Everything is generated in your browser with the Web Crypto API; passwords are not transmitted or stored on a server.
- The optional breach check uses the Have I Been Pwned range API with k-anonymity: only the first 5 characters of the password's SHA-1 hash are sent, and matches are resolved locally, so the full password and full hash never leave your device.
- Entropy is a theoretical measure of randomness in bits; the strength labels map to 40, 60, 80, and 128-bit thresholds.
What this tool does not decide
- Whether an account is actually secure. That also depends on the site's own protections, two-factor authentication, and avoiding reuse and phishing.
- Long-term storage. This is a generator, not a password manager; keep passwords in a reputable manager rather than reusing them.
- Whether a password is truly safe. The breach check only covers passwords already seen in known, published breaches.
Sources
- Web Crypto API: crypto.getRandomValues (cryptographically secure RNG) (MDN) last accessed 2026-06-06
- EFF Long Wordlist for passphrases (CC BY 3.0) (Electronic Frontier Foundation) last accessed 2026-06-06
- Have I Been Pwned: Pwned Passwords range API (k-anonymity) (Have I Been Pwned) last accessed 2026-06-06
- NIST SP 800-63B Digital Identity Guidelines (NIST) last accessed 2026-06-06
Last checked: 2026-06-06
How to use this tool
Choose a mode: random, passphrase, or pronounceable
Set the length and character or word options for that mode
Generate, then copy a result or run an optional breach check
Common uses
- Creating a strong, unique password for a new account
- Generating a memorable passphrase for a master password
- Producing long random secrets or API keys for development
- Checking whether a password appears in known data breaches
- Making pronounceable passwords that are easy to type and dictate
Share this tool
Frequently Asked Questions
How secure are these passwords?
What is password entropy?
What's the difference between password types?
What does the breach check do?
Are these passwords stored anywhere?
How long should my password be?
Is a passphrase more secure than a random password?
Why shouldn't I create my own 'random' password?
Can quantum computers crack my password?
Should I change my passwords regularly?
Results are for general informational purposes only and should be checked before use. They are not professional advice. See our Disclaimer and Terms of Service.