BrowserTools
Advertisement
Home / Generators / Password & Passphrase Generator

Password & Passphrase Generator

Generate strong random passwords and memorable passphrases locally, fully customizable.

Loading Password & Passphrase Generator… If nothing happens, please enable JavaScript.

Frequently asked questions

Are generated passwords ever sent to a server?
No. Every password or passphrase is generated entirely inside your browser using the Web Crypto API. The result never leaves your device, and there is no network request associated with the generation step.
What random number generator is used under the hood?
The tool calls `crypto.getRandomValues`, a Cryptographically Secure Pseudo-Random Number Generator (CSPRNG) built into every modern browser. It seeds itself from the operating system's entropy sources, such as hardware interrupts and timing noise, making its output unpredictable and non-reproducible.
How strong is a 16-character random password?
A 16-character password drawn from a 94-character printable ASCII set has approximately 105 bits of entropy. At a trillion guesses per second — far beyond what any current hardware achieves against a properly hashed password — it would take longer than the age of the universe to brute-force.
When should I use a passphrase instead of a password?
Use a passphrase when you need to memorise the secret — for example, your password manager's master password or a device encryption key. A 5-word passphrase from a list of 7,776 words (the Diceware standard) provides about 64 bits of entropy and is far easier to recall than a random character string of equivalent strength.
How does this compare to my browser's built-in password suggestion?
Browser-generated passwords are also cryptographically random and equally strong. The advantage of this tool is customisation: you can control length, character sets, word count, separator characters, and whether to start with the classic pattern. You are also not locked into any particular browser's password manager ecosystem.
What does 'entropy' actually mean for a password?
Entropy measures how many equally likely possibilities an attacker must consider. Each additional bit of entropy doubles the search space. A password with 40 bits of entropy has about one trillion possible values; one with 80 bits has roughly one quintillion. Higher entropy directly translates to longer expected cracking time.
Can I generate passwords for high-security contexts like encryption keys?
For symmetric encryption keys or other cryptographic material, you should use a dedicated key-derivation function such as PBKDF2 or Argon2, not a text password. However, this tool is appropriate for generating strong passphrases that are then fed into a KDF, or for creating random secrets that will be hashed before storage.
What is the most common password-generation mistake?
Choosing a length that feels long but is actually weak — for example, an 8-character password, even with all character classes, has fewer than 53 bits of entropy and can be cracked offline in hours with modern GPU rigs. NIST now recommends a minimum of 15–20 characters for sensitive accounts.
Does the tool support excluding ambiguous characters like O, 0, I, and l?
Yes. The ambiguous-character exclusion option removes characters that are visually similar and cause transcription errors when typing a password from a screen. This option is most useful when you need to read the password aloud or enter it on a device without copy-paste.
What happens if I generate a password and then close the tab?
The password is gone — the tool intentionally stores nothing. This is a feature: it prevents credentials from being recovered from browser storage, local storage, or cookies. Always copy the result immediately into a password manager before navigating away.

About Password & Passphrase Generator

Strong, unique passwords are the single most effective protection against account takeovers and credential-stuffing attacks. A password's strength is measured in entropy — essentially the number of unpredictable bits an attacker must guess. This tool generates cryptographically random passwords and human-friendly passphrases entirely in your browser using the Web Crypto API's `window.crypto.getRandomValues`, which draws from the operating system's entropy pool and is suitable for security-critical applications.

Developers use strong password generators when seeding test environments, creating API keys, or provisioning initial credentials for new accounts. Businesses rely on them during onboarding workflows. Everyday users benefit when setting up new accounts, especially on sites that don't enforce strong password policies. A randomly generated 16-character password is vastly stronger than a memorable but predictable one like "Summer2024!".

This tool operates entirely client-side. The moment you click Generate, the result is computed in your browser tab and is never transmitted anywhere. There are no analytics hooks on the generation event, no logging, and no server involvement of any kind. You choose the character set — uppercase, lowercase, digits, symbols — and the length, and the tool assembles a password using a cryptographically secure random selection from that set.

NIST Special Publication 800-63B recommends prioritising password length over complexity. A 4–6 word passphrase drawn from a large dictionary (the so-called "correct-horse-battery-staple" approach, popularised by the XKCD comic strip) can exceed 60 bits of entropy while remaining memorisable — often stronger than a short password packed with symbols. Use random passwords when storing credentials in a password manager, and consider passphrases only for secrets you must type from memory, such as your master password or device unlock PIN.

From Mechanical Combination Locks to Cryptographic Entropy: A Brief History of Passwords

The word "password" predates computers by millennia — Roman sentries used watchwords to authenticate allies in darkness. Digital passwords emerged in the 1960s with MIT's Compatible Time-Sharing System (CTSS), where Fernando Corbató introduced per-user passwords to keep research files private. In those early days passwords were stored in plaintext, and the first known password breach occurred almost immediately when a colleague printed the entire password file by accident.

The practice of hashing passwords to protect them in storage was formalised in the Unix crypt system in 1976, which used a modified DES algorithm. This laid the groundwork for the modern principle that even system administrators should never see your password. Over the following decades, rising compute power steadily eroded the safety of short passwords, driving the recommendations for minimum length from 6 characters in the 1980s, to 8 in the 2000s, to the 15–20 characters recommended by NIST today.

The "correct-horse-battery-staple" passphrase concept was popularised by Randall Munroe's XKCD comic strip 936 in 2011, which demonstrated visually that four common words chosen at random produce more entropy than a shorter, symbol-laden password that people typically construct. The comic went viral among security professionals and influenced NIST's 2017 revision of SP 800-63B, which explicitly deprioritised mandatory complexity rules in favour of length and advising against frequent forced password rotations — a practice that research showed led users to make predictable, incremental changes rather than genuinely stronger passwords.

Related tools

Hash Generator (SHA-1, SHA-256, SHA-384, SHA-512)

Compute cryptographic hashes of text or files locally, SHA-1, SHA-256, SHA-384 and SHA-512.

QR Code Generator

Generate QR codes for URLs, text, Wi-Fi credentials and contact cards. Download as PNG or SVG.
Advertisement