Password & Passphrase Generator
Last reviewed on April 27, 2026.
Two modes. Password draws random characters from your chosen classes. Passphrase picks random words from a built-in word list and joins them with a separator. Both use the browser's crypto.getRandomValues; nothing about your output is sent anywhere.
—
How "strong" is measured
The number that matters is entropy, measured in bits. Each bit doubles the size of the search space. A guesser who can try a billion candidates per second still needs centuries to run through a 90-bit search space. Practical thresholds:
| Entropy | What it protects against |
|---|---|
| 40–60 bits | Casual online attempts (rate-limited login forms). |
| 60–80 bits | Offline cracking of a leaked hash with consumer GPUs. |
| 80–100 bits | Well-funded offline cracking (specialized hardware). |
| 100+ bits | Long-horizon protection against any plausible attacker. |
This page reports the entropy of each result so you can size it for the threat you actually face. For a personal master password, aim for 90 bits or higher. For a one-time API key that is rotated weekly, 60 bits is fine. For account passwords stored in a manager, 80–100 bits is the sweet spot — enough margin without making the field unreasonable.
Random characters vs. random words
The two modes target the same goal — high entropy — by different routes.
- Random characters pack the most entropy per character. A 16-character password drawn from 94 printable symbols has about 105 bits of entropy. The downside: humans cannot remember them. They live in a password manager.
- Random words trade density for memorability. Picking five words from a 7,776-word list gives about 64 bits of entropy. Bumping to seven words puts you well over 90. The result is longer to type, but if you must memorize it (a master password, a vault key, a recovery phrase), this is the format that humans actually retain.
The "passphrase" approach was popularized by the Diceware project and codified by NIST in its current digital identity guidelines: long, simple, and machine-random beats short, complex, and user-invented every time. The dictionary used here is a curated list of common, easily-typed English words.
Worked example: comparing options
- 20-char password, all classes — about 131 bits. Overkill for almost anything; still trivial to store in a manager.
- 16-char password, lowercase + digits only — about 82 bits. Easier to type on mobile, still plenty for any password-manager-protected account.
- 5-word passphrase, hyphen-separated — about 64 bits. Memorable, typeable, fine for non-master use.
- 7-word passphrase — about 90 bits. The recommended floor for a master password you have to remember.
Common mistakes
- Mixing mandatory complexity rules into a real password. Forcing one digit and one symbol into a memorable phrase ("Password123!") shrinks entropy without improving strength. If you must comply with such a rule, append the requirement to a long passphrase:
correct-horse-battery-staple-7!still has the original entropy plus four trivial bits. - Reusing a password across sites. The strongest password becomes worthless the first time the site that stored it leaks. Use a manager, generate a new one per site.
- Treating leetspeak as security. See the leet text translator for what the substitutions actually look like — they are predictable, and crackers run them as a dictionary transform. Length and randomness add entropy; substitutions almost never do.
- Generating in an untrusted environment. If a coworker can see your screen or a screen-recording is running, the password leaks at generation time. Generate in private; copy directly into the field.
- Conflating UUIDs with passwords. A v4 UUID has 122 bits of entropy and can serve as a password, but UUIDs are not styled for human typing and have a recognizable shape. For passwords, this generator is the right tool. For identifiers, the UUID generator is.
Where this fits with the other tools on the site
For one-off identifiers that need cryptographic randomness without the password-friendly character set, see the UUID generator. For props in a screen recording (where the value should look real but never be), use the fake prop-data generator instead — never use real generated passwords as on-screen props. After generating a password, you may want to wrap it in a framed callout for documentation.