Secure Password Generator

Metric	Value	Copy
{{ row.label }}	{{ row.value }}

Password	Entropy (bits)	Strength	Copy
{{ row.password }}	{{ row.entropy.toFixed(1) }}	{{ row.strength }}

Password strength is a search problem before it is a punctuation problem. A random 16-character password resists guessing because every position is selected from a known set of possible characters with no human pattern behind it. Attackers do not need the password to look simple. They only need the candidate list to be small enough, patterned enough, or reused enough to search successfully.

Length usually expands the search space more than any single symbol. Adding punctuation helps when the destination accepts it and the symbol set genuinely widens the pool, but a short familiar word with a symbol at the end is still a familiar shape. A longer random password that is never reused often beats a shorter password forced through a checklist of uppercase letters, digits, and special characters.

Compatibility still matters. A banking form may reject certain punctuation, an old device may accept only digits, a recovery workflow may require manual typing, and a password manager can store a long mixed string that nobody needs to memorize. The safer usable password is random, unique to one account, accepted without weakening edits, and stored where it will not be copied into notes, tickets, or shared messages.

Modern password guidance has moved away from arbitrary composition rules as the main measure of strength. For user-chosen passwords, verifiers are encouraged to allow long passwords, avoid silent truncation, check against common or compromised values, support password managers, and use multi-factor authentication for important accounts. Random generated passwords fit that model best when each account receives its own password and the final value is stored in a password manager.

A generated password does not solve every account risk. It can still be phished, copied from clipboard history, captured by malware, exposed in an export, or reused after a breach. Treat the generated string as a live credential from the moment it appears, and use the strength numbers as a guide to guessing resistance rather than as a complete security guarantee.

How to Use This Tool:

Pick the password shape the destination will accept, generate a candidate, then read the security and compatibility cues before copying it.

Choose a Preset. Strong creates a 16-character mixed password, Long creates a 24-character password without symbols, PIN creates six digits, and Custom leaves the current settings editable.
Set Length from 4 to 128 characters. When the destination allows it, increasing length is usually the most direct way to raise entropy.
Turn uppercase, lowercase, numbers, and symbols on or off to match the rules of the account, device, vault, or legacy form that will receive the password.
Open Advanced for transcription and policy constraints: remove ambiguous characters, require each enabled type, prevent repeated characters, add approved extra characters, or block characters the destination refuses.
Press Generate when you want another draw with the same settings. Changing a setting also generates a fresh candidate after the new pool is valid.
If an error appears, the chosen constraints cannot produce a password. Enable at least one character source, increase length for required types, shorten a unique-only request, or relax exclusions.
Use Password Details, Password History, Entropy Trends, and JSON to compare the candidate, copy rows, or export a summary. Remove exported files after use if they contain live credentials.

Interpreting Results:

The summary gives the generated password, a show/hide control, copy action, strength label, entropy estimate, active pool size, length, and a crack-time benchmark. These values answer different questions. Entropy describes the formula-based search space, the crack-time estimate applies one fixed guessing speed, and the zxcvbn label looks for patterns that the formula may miss.

A large entropy number is useful only when the password is random, unique, and accepted without weakening edits. A good zxcvbn label is useful as a pattern check, not as proof that storage, multi-factor protection, or phishing defenses are sound. Read the values together, especially when a password must satisfy a restrictive site policy.

Secure password result cues and interpretation
Result cue	What it means	What to do next
`Very Weak` or `Weak`	The candidate looks too easy to guess or too pattern-like.	Generate a longer candidate, widen the allowed pool, or reject that password.
`Active pool size` is smaller than expected	Lookalike removal, disabled sets, duplicates, or explicit exclusions removed possible characters.	Add length to recover search space if the destination accepts a longer password.
`Crack time @10B/s` is short	The offline benchmark can search the estimated space quickly at the displayed speed.	Avoid the candidate for important accounts unless rate limits and multi-factor controls are the real defense.
`Require each type` is enabled	At least one character from every active set is forced into the output.	Use it for compatibility with old policies, not as a replacement for length.
`Unique characters` is enabled	No character can repeat, so the active pool must be at least as large as the requested length.	Disable it unless a real policy requires no repeats.

The history list is for comparison during the current page session. Do not keep several generated passwords around longer than needed, and do not paste exported CSV, DOCX, or JSON summaries into shared tickets or messages when they include the actual password.

Technical Details:

Random password strength starts with the character pool. The pool is built from the enabled uppercase, lowercase, digit, symbol, and extra-character sources, then filtered by the ambiguous-character and excluded-character rules. Duplicate extra characters collapse to one usable character, so repeating the same approved symbol several times does not increase the search space.

Each password position is selected from the active pool. The generator uses the browser's cryptographic random source when available and falls back to weaker pseudo-random selection only when that source is missing. The password is scored after generation, so the displayed strength label reflects the actual candidate rather than only the settings that produced it.

Formula Core:

If a password has L positions and each position is drawn from N possible characters, the ideal search space is N^L. Entropy converts that search space to bits, and the crack-time benchmark divides the same space by 10 billion guesses per second.

\begin{array}{lcl} H & = & L {log}_{2} (N) \\ C & = & N^{L} \\ t_{sec} & = & \frac{C}{10 \times 10^{9}} \end{array}

Here H is entropy in bits, C is the number of combinations, and t_sec is seconds at the fixed benchmark speed. With lookalikes removed, the Strong preset uses 88 active characters for 16 positions, which is about 103.4 bits. The Long preset uses 56 active characters for 24 positions, which is about 139.4 bits. A six-digit PIN has only 10 active characters for 6 positions, or about 19.9 bits, so it depends heavily on rate limits and device lockout.

Character Pool Rules:

Character pool contributions for generated passwords
Source	Normal count	After lookalike removal	Notes
Uppercase letters	26	24	`O` and `I` are removed when ambiguous characters are excluded.
Lowercase letters	26	24	`o` and `l` are removed when ambiguous characters are excluded.
Digits	10	8	`0` and `1` are removed when ambiguous characters are excluded.
Symbols	32	32	The built-in punctuation set is unchanged by the lookalike filter.
Extra characters	Variable	Variable	Unique extra characters are added, then explicit exclusions remove matches.

Validation Bounds:

Secure password generation validation bounds
Condition	Rule	Result
Length	Rounded and limited to 4 through 128 characters.	Out-of-range values are normalized before generation.
Empty pool	At least one character must remain after all enabled sets, extras, lookalikes, and exclusions are resolved.	Generation stops until a usable character source is restored.
Required types	Length must be at least the number of active character groups.	A four-group policy cannot fit into three characters.
Unique-only output	The active pool must be at least as large as the requested length.	A 12-character unique password cannot come from 10 digits.
History	Up to 20 generated entries are kept while the page session remains active.	Use the list for comparison, then close or reload the page when finished.

Privacy and Safety Notes:

Generation, scoring, history, charts, and exports run in the browser after the page has loaded. The generated password does not need a tool-specific server lookup, but the credential can leave your control if you copy it into a shared clipboard, download a report, sync it to an unsafe location, or paste it into the wrong account.

Use a different generated password for every account.
Store the final password in a password manager, not in screenshots, chat messages, notes, or exported reports.
Use multi-factor authentication for important accounts because password strength does not stop phishing or malware.
Do not treat the zxcvbn label as a breach check. It estimates guessability patterns; it does not query a live compromised-password database.
Delete CSV, DOCX, JSON, and chart files that reveal or describe a live password after they have served their purpose.

Worked Examples:

Password manager account

A password manager can usually store a long mixed string, so Strong or a longer custom password is a good starting point. With the default mixed pool and lookalike removal, 16 characters produce about 103.4 bits before the pattern check. If the destination accepts more length, raising the value to 20 or 24 gives more margin without making the password harder for a manager to store.

Site that refuses symbols

A symbol ban reduces the pool, but extra length can more than compensate. The Long preset uses uppercase letters, lowercase letters, and digits for 24 positions, with lookalikes removed. That gives 56 active characters and about 139.4 bits under the entropy formula.

Digits-only code

The PIN preset creates six digits. That shape may be correct for a local device, keypad, or rate-limited flow, but it is not comparable to a full account password under an offline guessing benchmark. If a service allows more than six digits, increasing the length matters more than trying to decorate a numeric code.

FAQ:

Does the generated password leave the browser?

Generation does not require a tool-specific server lookup. The main exposure points are the clipboard, downloaded reports, browser history or screenshots, synced folders, shared devices, and the account form where you paste the password.

Does it use cryptographic randomness?

It uses the browser's cryptographic random source when available. Very old or restricted environments that lack that source fall back to weaker pseudo-random selection, so generate important passwords in a modern browser.

Why can entropy and zxcvbn strength disagree?

Entropy is calculated from length and active pool size. zxcvbn also looks for familiar shapes, sequences, repeats, dates, and other guessable patterns. When they disagree, treat the lower-confidence signal seriously and generate again.

Should I require every character type?

Use Require each type when the destination system demands category coverage. For actual guessing resistance, longer random passwords and account-specific uniqueness usually matter more than satisfying every composition box.

Why did generation fail?

The usual causes are an empty character pool, too many required character groups for the chosen length, or a unique-only request that needs more distinct characters than the pool contains.

Glossary:

Active pool size: The number of distinct characters available after enabled sets, extra characters, lookalike removal, and exclusions are combined.
Entropy: A bit estimate based on password length and active pool size under an independent random-draw model.
Lookalikes: Characters such as 0, o, O, 1, l, and I that can be removed to reduce reading and typing mistakes.
zxcvbn score: A 0 to 4 pattern-aware strength score shown as Very Weak, Weak, Fair, Good, or Strong.
Crack-time benchmark: The displayed estimate produced by dividing the formula-based combination space by 10 billion guesses per second.