Password Generator

Most people reuse the same handful of passwords everywhere. That means a breach at one service—some forum you signed up for in 2014—gives attackers the keys to your email, your bank, your cloud storage. Credential stuffing attacks test stolen username/password pairs across thousands of services automatically. It takes seconds.

Brute-force attacks have gotten fast. A modern GPU can test billions of password combinations per second. An 8-character password using only lowercase letters has about 209 billion possibilities—that sounds like a lot until a single RTX 4090 cracks it in under a minute. Add uppercase, numbers, and symbols, and you buy more time. But the real multiplier is length. Every additional character multiplies the search space exponentially.

A 20-character random password with mixed character types has roughly 130 bits of entropy. At a trillion guesses per second, cracking it would take longer than the age of the universe. That's the difference between a password that falls in seconds and one that holds up against nation-state attackers.

Length beats complexity

Adding one character to a password does more for security than swapping a letter for a symbol. A 16-character lowercase password (75 bits of entropy) is stronger than a 10-character password with uppercase, lowercase, numbers, and symbols (66 bits). Length wins because it increases the exponent in the search space calculation.

Randomness is non-negotiable

Humans are terrible at generating random strings. We gravitate toward dictionary words, names, dates, keyboard patterns. Attackers know this and prioritize those patterns. A "random" password like P@ssw0rd2024! looks complex but falls to a dictionary attack in seconds because it follows a predictable substitution pattern. Real randomness means every character is independent of every other character—no patterns, no meaning, no structure.

Every account needs its own password

The best password in the world is worthless if you reuse it. A single breach exposes it. Attackers don't just try the breached service—they try every major service: Gmail, Amazon, banking portals, social media. Unique passwords per account contain the blast radius. If one gets compromised, the rest stay safe. This is why password managers exist.

Character diversity adds margin

Using uppercase, lowercase, numbers, and symbols increases the pool of possible characters from 26 (lowercase only) to 95 (full printable ASCII). At the same length, that's a meaningful increase in entropy. It's not a substitute for length, but it's a good complement. With a password manager handling the typing, there's no reason not to enable all character types.

The most common password in every annual breach report is still "123456." The second is "password." These aren't edge cases—they represent millions of real accounts on real services.

Predictable substitutions like @ for a, 0 for o, or 3 for e don't fool anyone. Cracking tools include these substitution rules by default. "P@55w0rd" is barely more secure than "password."

Personal information—pet names, birthdays, street addresses, phone numbers—is the first thing a targeted attacker tries. Social media makes it trivially easy to find this information. If your password contains your dog's name followed by a year, it's already in the attacker's wordlist.

Incremental changes between passwords (Password1, Password2, Password3) are another common pattern. When attackers find one version in a breach, they automatically generate and try variations with incremented numbers, appended years, and swapped punctuation. The only safe approach is fully random, fully independent passwords for each account.

This tool runs entirely in your browser. When you generate a password, your browser calls crypto.getRandomValues()—a Web Crypto API that pulls randomness from your operating system's cryptographically secure random number generator. On Windows, that's BCryptGenRandom. On Linux and macOS, it's /dev/urandom backed by the kernel entropy pool. The output is indistinguishable from true randomness for all practical purposes.

No password is ever sent to our servers. There's no API call, no analytics event, no telemetry. You can verify this by opening your browser's network inspector—the page loads once, and after that, every regeneration happens locally. Disconnect your internet and the tool still works.

The entropy calculation assumes an attacker who knows the character set and length but has to brute-force every combination. Crack time assumes 1 trillion guesses per second, which is realistic for a well-funded attacker with a GPU cluster targeting an unsalted hash.

A strong password generator is only useful if you have a way to store and retrieve the passwords it creates. That's where password managers come in. They store all your credentials in an encrypted vault, protected by a single master password. You remember one password. The manager handles the rest.

Recommended options

Bitwarden is free, open-source, and audited. It syncs across devices, supports autofill on every major platform, and offers a paid tier with TOTP authenticator support. If you're picking one manager and want to pay nothing, Bitwarden is the answer.

1Password has the most polished user experience, especially on Apple platforms. It's not free ($3/month), but the UI is excellent and the team sharing features are well-designed for families and businesses.

KeePass is fully offline. Your vault is a local encrypted file that you control. No cloud sync means no server to breach. The trade-off is convenience—you'll need to handle syncing yourself (Syncthing, Dropbox, USB drive). Best for people who want maximum control.

Whichever you choose, enable two-factor authentication on the manager itself. Your master password should be long, memorable, and unique—a passphrase of 4-5 random words works well. The manager is the single point of failure for your entire digital life. Protect it accordingly.