NOTACAL logo

Password Generator

Password Generator

Give us your feedback! Was this useful?

Introduction

Passwords remain the most common authentication mechanism protecting online accounts, yet weak and reused credentials are the leading cause of data breaches. A password generator eliminates the human tendency to create predictable, easily guessable passwords by producing cryptographically random strings with high entropy. In the modern security landscape where data breaches expose billions of credentials annually, using strong, unique passwords for every account is no longer optional — it is essential for protecting personal and professional information.

Common attack vectors that exploit weak passwords include:

  • Brute-force attacks: Adversaries systematically try every possible combination within the character space.
  • Dictionary attacks: Attackers test common passwords, leaked credential databases, and variations of dictionary words.
  • Credential stuffing: Reusing the same password across services means one breach compromises all accounts.
  • Rainbow table attacks: Pre-computed hash lookup tables are ineffective against long, random passwords.

This tool generates passwords using a cryptographically secure pseudorandom number generator (CSPRNG), calculates the theoretical entropy of each generated password, and allows complete control over length and character composition. Understanding entropy helps you make informed decisions about password length and complexity for different security contexts.

Password entropy is expressed in bits and represents the number of attempts an attacker would need to guess the password in a brute-force search. Each additional bit of entropy doubles the difficulty of cracking the password. A password with 80 bits of entropy would require up to 2^80 attempts to guarantee discovery — a number so large that even with massive computing resources, the search would take longer than the age of the universe. This makes entropy the single most important metric for evaluating password strength beyond simple length considerations.

The character set you select has a dramatic impact on entropy per character. A password using only lowercase letters has an entropy of approximately 4.7 bits per character, meaning an 8-character password has only about 38 bits of total entropy — crackable in hours or days by a determined attacker with consumer hardware. Adding uppercase, digits, and symbols increases the entropy per character to approximately 6.55 bits, so the same 8-character password would have 52 bits of entropy — a significant improvement that raises the cracking difficulty to years or decades.

How to Use

  1. Set the password length using the slider or input field. NIST SP 800-63B recommends a minimum of 8 characters.
  2. Select character types to include: Uppercase letters (A-Z), Lowercase letters (a-z), Numbers (0-9), Symbols (!@#$%^&* etc.)
  3. Click Generate to produce a random password. Each generation is independent and produces a new random output.
  4. Review the entropy estimate displayed alongside the result. Higher values (in bits) indicate stronger resistance to brute-force attacks.
  5. Copy the generated password using the copy button. The tool does not store any generated passwords on any server.

Choose Length Based on Sensitivity: For low-risk accounts like forum registrations, 12 characters with mixed case and digits provides adequate protection. For sensitive accounts such as email, banking, and password manager master passwords, use at least 20 characters with all character types enabled. The entropy display helps you make this decision quantitatively rather than guessing what is strong enough.

Regenerate if You Spot a Pattern: Occasionally, a randomly generated password may contain a recognizable word fragment, sequential characters, or repeated patterns. While these occurrences are statistically expected in random generation and do not weaken the password mathematically, you may prefer to regenerate until you get a string that appears completely arbitrary for memorability purposes.

Password Length Guidelines by Context

Security requirements vary significantly depending on the account type and threat model. For a low-risk forum account where compromise has minimal consequences, a 12-character alphanumeric password generated by this tool provides adequate protection. For a primary email account that controls password resets for other services, use at least 16 characters with all character types. For password manager master passwords and encrypted volume passphrases, use the maximum allowed length — often 30 to 64 characters — to maximize protection.

Consider the human factors as well: a password that is too long may discourage its use or lead to users writing it down. Balance security needs with practical usability. A 20-character random password with all character sets enabled offers approximately 131 bits of entropy, placing it in the extreme category of the entropy classification table below.

Formulas and Calculations

Password Entropy

The strength of a randomly generated password is measured by its Shannon entropy:

H=log2(SL)=L×log2(S)H = \log_2(S^L) = L \times \log_2(S)
[nist-password]
[nist-password]

Where: H = entropy in bits, S = size of the character set, L = password length

Character Set Size

S = Su + Sl + Sd + Ss. Typical values: Uppercase = 26, Lowercase = 26, Digits = 10, Symbols = 32

Character SetSize (S)Entropy per character
Digits only10approx. 3.32 bits
Lowercase only26approx. 4.70 bits
Mixed case52approx. 5.70 bits
Alphanumeric62approx. 5.95 bits
All printable94approx. 6.55 bits
Entropy per character (bits) by character set composition

Entropy Classification

Entropy (bits)StrengthCrack Time (at 10^9 guesses/s)
< 28Very weak< 1 second
28-35WeakSeconds to minutes
36-59ModerateHours to years
60-79StrongYears to centuries
80-127Very strongMillennia+
>= 128ExtremeAstronomical timescales

Calculating Entropy in Practice

To calculate the total entropy of a password manually, apply the formula H = L × log2(S). First determine the character set size S based on the selected character types. For example, a password using uppercase letters (26), lowercase letters (26), and digits (10) has S = 62. For an 8-character password with this set, H = 8 × log2(62) = 8 × 5.95 = 47.6 bits. For a 16-character password with the same set, H = 16 × 5.95 = 95.2 bits — more than double the entropy with only twice the length.

The relationship between length and entropy is linear because each additional character independently contributes the same amount of entropy. This means that increasing password length is consistently more effective than adding rare character types. Adding symbols to an alphanumeric 62-character set increases S to 94, raising entropy per character from approximately 5.95 to 6.55 bits. However, adding just two more characters of alphanumeric-only content (increasing L from 8 to 10 with S = 62) adds 11.9 bits of entropy, while adding the full symbol set to an 8-character password adds only 4.8 bits. In practice, a 12-character alphanumeric password (71.4 bits) is stronger than an 8-character password with all 94 printable characters (52.4 bits).

Real-world cracking speed depends on both the attacker's hardware and the hashing algorithm used by the target service. A GPU cluster optimized for NTLM hashes can attempt tens of billions of guesses per second, while bcrypt with a high cost factor reduces the same hardware to a few thousand guesses per second. The entropy classification table above assumes a moderate attacker capability of 10^9 guesses per second, but services using modern key-derivation functions like bcrypt, scrypt, or Argon2id dramatically increase the real-world security of any given entropy level.

Practical Tips

Use a Password Manager: Even the strongest password is useless if you cannot remember it. A password manager stores all your unique passwords securely behind a single master password.

Never Reuse Passwords: A data breach at any service where you reuse a password exposes all your other accounts using that same password. Generate a unique password for every website and application.

Avoid security questions with factual answers. Use the password generator to create random strings as answers and store them in your password manager.

Regularly audit your accounts. Use a service like Have I Been Pwned (HIBP) to check whether your email addresses appear in known data breaches.

Rotate passwords after known compromises. When a service you use suffers a data breach, change that specific password immediately. Services like Have I Been Pwned and Firefox Monitor can alert you when your accounts appear in breach databases. Regular rotation of uncompromised passwords is no longer recommended by NIST as of SP 800-63B unless there is evidence of compromise, as forced rotation often leads to weaker password choices.

Passphrase vs Password

For master passwords that need to be memorable, consider generating passphrases — sequences of random common words separated by spaces or hyphens. A four-word passphrase from a dictionary of 7,776 words has approximately 51 bits of entropy (roughly equivalent to a 9-character random password) but is significantly easier to type and remember. Passphrases also score higher on usability metrics because they are less dependent on visual character memory and can be typed quickly even on mobile keyboards.

The security of a passphrase depends entirely on the randomness of word selection, not on the unusualness of the words themselves. A passphrase composed of four common words selected uniformly at random from a 7,776-word list — such as "correct horse battery staple" — is secure because each word independently contributes log2(7776) = 12.9 bits of entropy. In contrast, a hand-crafted phrase using a favorite quote or personal reference provides far less entropy because the words are not randomly chosen and may be guessable from personal information or common cultural references.

For even stronger security, increase the word count. A five-word passphrase provides approximately 64.5 bits of entropy, and a six-word passphrase reaches 77.4 bits. Most password managers support passphrase generation natively, and many services that accept long passwords will accept passphrases without issue. However, be aware that some legacy systems impose maximum length limits that passphrases may exceed.

Multi-Factor Authentication

Multi-factor authentication (MFA) is the single most effective way to secure accounts beyond password strength alone. Enable MFA on every service that supports it. According to Microsoft, MFA blocks over 99.9% of account compromise attacks. Even if an attacker obtains your password through a data breach or phishing attack, MFA requires a second factor — something you have (a phone, hardware token) or something you are (biometric) — to complete authentication.

Three common MFA methods ranked by security: Time-based one-time passwords (TOTP) generated by authenticator apps like Google Authenticator or Authy provide good security and do not rely on cellular networks. Hardware security keys such as FIDO2 or WebAuthn-compliant USB keys offer phishing-resistant authentication and are considered the gold standard. SMS-based verification codes, while better than no MFA, are vulnerable to SIM-swapping attacks and are no longer recommended by NIST as an out-of-band verification method.

The most secure configuration combines a unique, high-entropy password generated by this tool with a hardware security key for accounts that support it, and TOTP as a fallback. This layered approach ensures that compromise of any single factor does not expose the account.

Reference Tables

Security LevelMinimum LengthCharacter SetExample Use Case
Low8AlphanumericNon-sensitive accounts
Moderate12All printableEmail, social media
High16All printableBanking, work accounts
Very High20+All printablePassword manager master password

Common Password Vulnerabilities

Even a strong randomly generated password exists within a broader security ecosystem where other weaknesses can undermine its protection. Understanding the most common vulnerabilities helps you build a comprehensive security strategy.

Brute-Force and Dictionary Attacks

Brute-force attacks systematically enumerate every possible combination of characters within a defined search space. The time required to exhaust the search space depends on the password's entropy and the attacker's computational resources. A GPU-based cracking rig with multiple RTX 4090 cards can attempt approximately 300 billion NTLM password hashes per second, meaning an 8-character alphanumeric password (47.6 bits, 62^8 = 218 trillion combinations) could be fully enumerated in approximately 12 minutes. Adding a single character to reach 9 characters (55.6 bits, 62^9 = 13.5 quadrillion combinations) increases the search time to over 12 hours, and 10 characters (63.7 bits, 62^10 = 839 quadrillion) requires more than a month of continuous cracking.

Dictionary attacks are more efficient than brute force because they exploit human password selection patterns. Attackers compile lists of common passwords, leaked credentials, and word variations — including common substitutions like "p@ssw0rd" — to dramatically reduce the search space. The most common passwords according to annual surveys by NordPass and SplashData continue to include "123456," "password," and "qwerty," all of which will be cracked in under one second regardless of hashing algorithm. A randomly generated password from this tool is immune to dictionary attacks by construction since it contains no dictionary words or human-selected patterns.

Credential Stuffing and Password Reuse

Credential stuffing attacks exploit the widespread practice of password reuse across multiple services. Attackers obtain username and password pairs from a data breach at one service — for example, a 2023 breach exposing 37 million records — and automatically attempt those same credentials at dozens of other popular services. This attack is highly effective because studies consistently show that over 50% of users reuse passwords across multiple accounts. A credential stuffing attack does not require any cryptographic cracking; it simply uses credentials that the user voluntarily provided to another service.

The only complete defense against credential stuffing is to use a unique password for every account. Each password generated by this tool should be used for exactly one service and stored in a password manager. If one service suffers a data breach, only that single account is compromised, and the attacker gains no leverage against other accounts.

Phishing and Social Engineering

Phishing attacks trick users into voluntarily revealing their credentials by impersonating legitimate services through deceptive emails, websites, or messages. Even the strongest randomly generated password provides no protection if the user types it into a fake login page. Modern phishing kits can create convincing replicas of major service login pages, and spear-phishing campaigns target specific individuals with personalized lures crafted from publicly available information.

Defense against phishing requires behavioral safeguards rather than technical password strength. Always verify the URL of any page where you enter credentials, enable MFA as described above, and use a password manager that supports automatic form filling with domain matching — a password manager will refuse to autofill credentials on a lookalike domain, providing an additional layer of phishing protection that a manually typed password lacks.

Limitations

  • Client-side generation: Passwords are generated in the browser using crypto.getRandomValues() (CSPRNG) when available.
  • No breach database checking: The tool does not check generated passwords against known compromised password databases.
  • No server-side storage: Generated passwords are never transmitted to or stored on any server.
  • Theoretical entropy: The entropy calculation assumes each character is chosen independently with uniform probability.
  • Does not enforce service-specific rules: Some websites impose constraints this tool does not enforce.
  • No protection against phishing: Even the strongest password does not protect against phishing or social engineering attacks.

Understanding Password Strength Limitations

While entropy provides a theoretical measure of password strength against brute-force attacks, real-world security depends on many additional factors. A password with high entropy stored on a compromised device or transmitted over an unsecured network is still vulnerable regardless of its mathematical strength. Password reuse remains one of the most common attack vectors — even a perfectly random password is useless if the service storing it suffers a data breach and stores passwords in plaintext or with weak hashing.

The tool generates passwords based on cryptographic randomness but cannot protect against keyloggers, malware, shoulder surfing, or social engineering. Environmental security — keeping your devices updated, using reputable antivirus software, and maintaining physical security — is equally important as password strength. Additionally, some services impose their own constraints that may limit the effectiveness of generated passwords, such as maximum length limits or restrictions on certain characters.

Frequently Asked Questions

What is the ideal password length?
12-16 characters recommended minimum. Each additional character exponentially increases combinations.
Can I exclude confusing characters?
Yes. Configure character types to include and optionally exclude ambiguous characters like 0/O or 1/l.
Is it safe to use an online generator?
This runs entirely in your browser. No passwords are sent to any server. Ensure the page is served over HTTPS.
Are the passwords truly random?
Uses Crypto.getRandomValues() — cryptographically secure, suitable for security-sensitive applications.
How many passwords can I generate?
No limit. Generate as many as needed, each independently secure.
What character set should I choose?
Enable all available character types for maximum entropy. If a website restricts certain symbol characters, disable only those specific characters rather than all symbols.
What is the difference between a password and a passphrase?
A password is a random string of characters, while a passphrase is a sequence of random words. Passphrases are easier to remember and type but can exceed length limits on some services.
How often should I change my passwords?
NIST SP 800-63B no longer recommends periodic password changes unless there is evidence of compromise. Change immediately after a known data breach affecting that service.
Can I use a password I generated here for my password manager master password?
Yes, but consider using a passphrase instead for the master password since it must be memorized. A six-word random passphrase provides similar entropy to a 12-character random password while being far more memorable.

Last updated: July 10, 2026

UB

UnByte — Independent Software Engineering

Every calculator references authoritative sources — Editorial policy