Create strong, secure passwords instantly. Customize length and character types. Your passwords never leave your browser — 100% private and secure.
A password's strength is determined by two independent factors: length and character set size. Together they define the total number of possible combinations an attacker must search through — a concept measured in bits of entropy. Entropy represents the mathematical randomness of a password; each additional bit doubles the number of possible guesses. A password with 40 bits of entropy has roughly one trillion (2^40) possible combinations. A password with 80 bits has over one septillion — completely infeasible to brute-force with current technology.
Length contributes exponentially more to entropy than character variety. Adding one extra character multiplies the search space by the size of the character set. For example, extending a password from 8 to 12 characters using uppercase, lowercase, numbers, and symbols (a 72-character set) increases the possible combinations from 72^8 (≈ 7.2 x 10^14) to 72^12 (≈ 1.9 x 10^22) — roughly a 26-million-fold increase. By contrast, adding symbols to an already-complex 12-character password increases the space by a far smaller factor. The takeaway: a long, memorable passphrase of all-lowercase characters is significantly stronger than a short password packed with special characters.
The table below assumes a 72-character set (uppercase, lowercase, numbers, and symbols) and a hardware-optimized attacker capable of 100 billion guesses per second — roughly the equivalent of a dedicated GPU cluster. Real-world times may vary, but the exponential pattern is what matters: each additional character makes the task dramatically harder.
| Password Length | Possible Combinations | Time to Crack |
|---|---|---|
| 8 | 7.2 × 10^14 | ~2 hours |
| 10 | 3.7 × 10^18 | ~1.2 years |
| 12 | 1.9 × 10^22 | ~6,100 years |
| 16 | 5.2 × 10^29 | ~165 billion years |
| 20 | 1.4 × 10^37 | ~4.5 × 10^18 years |
| 24 | 3.7 × 10^44 | ~1.2 × 10^26 years |
Important caveat: these times assume truly random passwords generated by a cryptographically secure source. Passwords based on dictionary words, common patterns, or personal information can be cracked orders of magnitude faster using dictionary attacks, rainbow tables, and social engineering. The numbers also assume the attacker must brute-force the full password; in reality, many services store passwords using fast hash functions like SHA-256, which are far cheaper to attack than slow, salted algorithms like bcrypt or Argon2. A 12-character random password may take millennia on a properly hashed database, but identical passwords stored with MD5 (still regrettably common) could fall in hours.
Names, birthdays, pet names, and addresses are trivially discovered through social media, data broker sites, and public records. Attackers programmatically scrape this data and feed it into targeted dictionary attacks. A password derived from personal details offers essentially zero security.
Credential stuffing is the most common attack vector: when a service is breached and its password database leaks, attackers feed those email-password pairs into thousands of other sites. If you use the same password across multiple services, one breach compromises all your accounts.
Any password under 10 characters is within reach of modern GPU cracking rigs regardless of character complexity. The exponential math of password length means that 12 characters is a practical minimum, and 16+ is recommended for any account that matters.
A passphrase is a sequence of randomly chosen words, often separated by spaces or hyphens, that serves as a password. The concept was popularized by the xkcd webcomic "Password Strength" and is mathematically sound. If you select four words randomly from a list of 7,776 common English words (Diceware wordlist), the resulting passphrase carries roughly 51 bits of entropy — comparable to a 9-character random password — but is far easier to remember. Six randomly chosen words provide approximately 77 bits of entropy, making brute-force attacks infeasible.
The key word is random. A passphrase like ilovecatsanddogs is not a secure passphrase — it follows predictable grammar patterns and can be broken by statistical language models. A truly random passphrase like correct-horse-battery-staple-remark-kite is far stronger because the words are unrelated and unpredictable. For accounts where you must type the password manually (game consoles, smart TVs), a passphrase is significantly more usable than a random character string of equivalent strength.
The human brain is not designed to memorize dozens of unique, 16-character random passwords. This is not a personal failing; it is a cognitive limitation shared by everyone. A password manager — such as Bitwarden (open-source, free), 1Password, or KeePass — solves this by generating, storing, and auto-filling a unique strong password for every account. You only need to remember a single strong master password or passphrase to unlock the vault.
The security tradeoff is well-understood: you concentrate risk into a single, heavily protected vault rather than distributing it across dozens of accounts protected by weak, memorized passwords. Modern password managers use zero-knowledge encryption, meaning the provider never has access to your unencrypted data. The master password and the decryption happen locally on your device. Combined with the strong passwords this tool generates, a password manager forms the foundation of a practical personal security strategy.
Even the strongest password can be compromised: through a data breach at the service, a phishing attack, a keylogger, or shoulder surfing. Two-factor authentication (2FA) adds a second proof of identity — typically a time-based one-time password (TOTP) generated by an app like Google Authenticator or Authy, a hardware security key (FIDO2/U2F), or a push notification — that an attacker cannot produce even with the password. Enabling 2FA on email, banking, social media, and domain registrar accounts is the single highest-impact security action you can take after using unique passwords.
Prefer TOTP app-based or hardware key methods over SMS-based 2FA whenever possible. SMS messages can be intercepted through SIM-swapping attacks, where an attacker socially engineers a mobile carrier into transferring a victim's phone number to their own device. If SMS is the only option offered, it is still better than no 2FA at all — but app-based codes or security keys provide substantially stronger protection.
All password generation happens entirely in your browser using the Web Crypto API's crypto.getRandomValues() method, which is backed by the operating system's cryptographically secure pseudorandom number generator (CSPRNG). The password is constructed character by character using modulo selection from the chosen character pool. At no point is the generated password transmitted to any server, stored in any database, logged to any analytics service, or persisted in browser storage. Once you close the tab or generate a new password, the previous value is unrecoverable. This is fundamentally different from server-side generators that transmit your password over the network and may store or log it.