Generate strong, random passwords, memorable passphrases, or PINs — with a live entropy meter and crack-time estimate. Plus a built-in password strength checker.
🔒 This field never submits anywhere — the check happens entirely in your browser as you type.
Every password, passphrase, and PIN on this page is generated using window.crypto.getRandomValues() — the same cryptographically secure random number source browsers use for encryption. This is fundamentally different from Math.random(), which is not secure enough for passwords because its output can be predicted.
Nothing you generate or type here — including in the strength checker above — is sent to any server, logged, stored, or transmitted anywhere. The entire page runs as static JavaScript in your browser. You can verify this yourself by opening your browser's developer tools (Network tab) while using this page — you'll see zero requests related to password generation or checking.
💡 Best practice: Generate your password here, then immediately save it in a password manager (Bitwarden, 1Password, or your browser's built-in manager). You shouldn't need to remember most of your passwords — only your password manager's master password (use a passphrase for that one).
Entropy measures how unpredictable a password is, expressed in bits. It's calculated as: length × log₂(character pool size). A longer password, or one drawn from a larger set of possible characters, has more entropy — and each additional bit of entropy doubles the number of guesses an attacker needs to try.
| Entropy | Strength | Crack time @ 10 billion guesses/sec | Example |
|---|---|---|---|
| < 28 bits | Very Weak | Instant | password123 |
| 28-35 bits | Weak | Seconds to minutes | Sunshine22 |
| 36-59 bits | Fair | Hours to months | Tr0ub4dor&3 |
| 60-79 bits | Good | Decades to centuries | 12-character random |
| 80-99 bits | Strong | Millions of years | 16-character random |
| 100+ bits | Very Strong | Effectively uncrackable | 20+ character random, 6-word passphrase |
The crack-time estimate above assumes 10 billion guesses per second — a realistic worst-case for an attacker running modern GPUs against a database of weakly-hashed (fast-hash) passwords. Well-implemented sites use slow hashing algorithms like bcrypt or Argon2, which can reduce guess rates to a few thousand per second — making even "Good" passwords effectively secure in practice. But since you can't control how a site stores your password, aim for "Strong" or "Very Strong" for anything important.
Maximum entropy per character — a 16-character password using all four character types (upper, lower, numbers, symbols) has about 105 bits of entropy. Best for accounts where you'll copy-paste from a password manager rather than type manually. This is the right default for the vast majority of your accounts.
Multiple random words strung together — easier to type and remember than random characters, while still reaching strong entropy levels with enough words. A 6-word passphrase from a reasonably sized word list provides roughly 60-77 bits of entropy depending on the word list size. Best for passwords you need to type from memory — like your password manager's master password, or your device's login password.
Short numeric codes — inherently lower entropy (a 6-digit PIN has about 20 bits, or roughly 1 million combinations). PINs are appropriate only where the system limits guess attempts, such as phone lock screens, bank cards, or door codes with lockout policies. Never use a PIN as a website password.
Use a unique password for every account. If one service is breached and your password is exposed, attackers immediately try that same password on other sites — a technique called "credential stuffing." A password manager makes unique passwords for every account practical.
Prioritize length over complexity. A 20-character password using only lowercase letters has more entropy than an 8-character password with every character type. Modern password requirements that mandate "at least one symbol" but cap length at 12 are actually weaker than longer, simpler passwords.
Enable two-factor authentication (2FA) wherever available. Even a strong password can be phished. 2FA — especially an authenticator app or hardware key rather than SMS — adds a critical second layer that protects you even if your password is compromised.
Don't reuse your email password anywhere else. Your email account is often the recovery method for every other account — if it's compromised, an attacker can reset passwords on all your other services.
⚠️ Avoid these common patterns: appending numbers to a word (password1, password2), simple letter-to-symbol substitutions (p@ssw0rd), keyboard patterns (qwerty, asdf1234), and personal information (names, birthdates, pet names). These patterns are the first things password-cracking dictionaries check, regardless of how "clever" they feel.
→ Unit Converter — Convert length, weight, temperature, data storage and more.
→ Word Counter — Count words, characters, reading time and check social media limits.
→ Text Case Converter — Convert text to 15 case types including camelCase and snake_case.
→ AI Bio Generator — Write professional bios for LinkedIn, Twitter and your website.