Security
Email Validator
Instantly check if an email address is valid with normalized output and clear error messages.
Security
Password Generator
Generate strong, cryptographically secure passwords — or memorable passphrases — with a live strength meter, crack-time estimate, and entropy in bits. Everything runs in your browser. Nothing is sent over the network.
Tool Summary Answer Block
This tool accepts structured input and returns deterministic output in the browser with no server upload.
- Tool name
- Password Generator
- Input intent
- Provide source content to transform, validate, or analyze.
- Output intent
- Receive normalized output suitable for copy, reuse, or debugging.
- Example input
- Password · 20 chars · all sets · exclude look-alikes
- Example output
- qH7%vT9#kLp2Bc$eNr4X
Select at least one character set.
Very weak0 bits · crack time ~instantly
Shortcuts: Space regenerate · C copy
Passwords are generated locally using your browser's cryptographic random number generator. They are never transmitted, stored, or logged.
How to create a strong password you'll actually remember
Attackers don't guess your password one character at a time — they run billions of leaked-hash attempts per second against every common pattern humans invent. The only defence that scales is length and unpredictability. Here's the short version.
- 1
Make it long
Aim for 16+ random characters or 5+ random words. Every extra character multiplies the attacker's work.
- 2
Make it random
Let the generator pick. Human-chosen "random" words cluster around pets, dates, bands — all in the attacker's dictionary.
- 3
Never reuse
One password per site. When a site gets breached (they all do), credential-stuffing bots try your password everywhere else first.
The memorable-but-strong formula
Switch to Passphrase mode above, generate 5–6 random words, then add a personal twist only you would apply — a capitalization rule, a separator of your choice, a digit you associate with the account. Example: Cedar.Mango.Orbit.Rustic.Piano7 is ~67 bits (centuries to crack) and takes two minutes to memorize.
Need a deeper dive? Read our full guides on creating a strong password and the difference between good passwords vs bad passwords.
What Google, Apple, Microsoft & friends actually require
These are minimums, not targets. Every one of these services happily accepts a 20-character random password or a 5-word passphrase — exactly what this tool produces.
| Service | Minimum | Notes |
|---|---|---|
| 8 chars | Blocks known-breached passwords via Password Checkup | |
| Apple ID | 8 chars | Requires uppercase + lowercase + digit |
| Microsoft | 8 chars | At least 2 of: upper, lower, digit, symbol |
| Facebook / Meta | 6 chars | Rejects common and breached passwords |
| Amazon | 6 chars | Low floor — use 16+ and a password manager |
| GitHub | 15 chars (or 8 + a digit + lowercase) | Actively blocks breached passwords |
| Banks (typical) | 8–12 chars | Often cap at 20 — use the longest allowed |
Password length cheat sheet: 8, 12, 15, 16, 20 characters
Each extra character multiplies the attacker's work. Entropy below assumes all four character sets (uppercase, lowercase, digits, symbols — pool size 94) and an offline attacker running 100 billion guesses per second.
| Length | Entropy | Crack time | Good for |
|---|---|---|---|
| 8 chars | ~52 bits | days | Legacy systems that cap here. Absolute floor. |
| 12 chars | ~79 bits | centuries | Forums, low-value sites; minimum target today. |
| 15 chars | ~98 bits | millions of years | GitHub default minimum; general-purpose. |
| 16 chars | ~105 bits | billions of years | Recommended default for most accounts. |
| 20 chars | ~131 bits | heat death territory | Email, banking, cloud admin, crypto exchanges. |
| 32 chars | ~210 bits | effectively forever | API keys, encryption keys, service secrets. |
| 64 chars | ~420 bits | effectively forever | Master keys and key-derivation seeds. |
Tip: click the 8 / 12 / 15 / 16 / 20 / 32 / 64 chips under the length slider to jump straight to any of these targets.
Passphrase length: 3, 4, 5, 6, or 7 words?
Each random word from the EFF short wordlist adds ~10.3 bits of entropy. Capitalization and an appended digit add a little more.
| Words | Entropy | Recommended for |
|---|---|---|
| 3 words | ~31 bits | Casual Wi-Fi, throwaway accounts — not for anything important. |
| 4 words | ~41 bits | Low-risk sites. Still below what a determined attacker can crack. |
| 5 words | ~52 bits | Good default for most accounts; the standard EFF diceware recommendation. |
| 6 words | ~62 bits | Email, primary accounts, laptop login, disk encryption. |
| 7 words | ~72 bits | Password-manager master password, SSH key, recovery phrase. |
Which password manager should I use?
Generating a strong password is step one. Storing it where you'll never lose it — and where it autofills across devices — is step two. Any of these is a massive upgrade over reusing passwords.
| Manager | Free tier | Notable for |
|---|---|---|
| Bitwarden | Unlimited | Open source, cross-platform, audited. |
| 1Password | Trial only | Polished UX; Watchtower breach alerts. |
| Apple Passwords | Free (Apple ID) | Built into iOS/macOS with passkey support. |
| Google Password Manager | Free (Google) | Built into Chrome/Android; breach check included. |
| Proton Pass | Generous free | End-to-end encrypted; email aliases built in. |
| LastPass | Free (1 device type) | Widely used; historic breaches warrant caution. |
| Norton Password Manager | Free | Bundled with Norton 360 suites. |
| KeePassXC | Free (local file) | Fully offline; you control the vault file. |
Whichever you pick, protect it with a 6–7 word passphrase generated above, and turn on two-factor authentication.
Related security tools on this site
- Hash generatorMD5, SHA-1, SHA-256, SHA-512 — hash any string in your browser.
- htpasswd generatorApache / Nginx Basic Auth credentials with APR1-MD5 or SHA-1.
- Random string generatorTokens and IDs with prefix/suffix and ambiguous-char exclusion.
- UUID generatorBatch-generate RFC 4122 v4 UUIDs for primary keys and API IDs.
Do
- Use a password manager (Bitwarden, 1Password, Apple Passwords)
- Generate a unique password for every account
- Turn on two-factor — prefer app codes or passkeys over SMS
- Check your emails on Have I Been Pwned and rotate breached ones
Don't
- Use names, birthdays, pets, phone numbers, or dictionary words on their own
- Reuse the same password across sites — one breach unlocks all of them
- Rely on leetspeak tricks like P@ssw0rd! — attackers have those mappings built in
- Rotate on a fixed schedule — rotate when breached, not by calendar
Tool Introduction
Generate strong, cryptographically secure passwords — or memorable passphrases — with a live strength meter, crack-time estimate, and entropy in bits. Everything runs in your browser. Nothing is sent over the network.
Tool Overview
Password strength is measured in bits of entropy: the logarithm (base 2) of the number of possible values. A 16-character password drawn from 94 printable characters has about 105 bits — far beyond what any current or near-future attacker can brute-force. A five-word passphrase from the EFF short wordlist has about 52 bits, which is enough for most accounts and is dramatically easier to remember. This tool generates both, using the browser's crypto.getRandomValues source with rejection sampling to eliminate modulo bias. Use the strength meter to target Strong (90+ bits) for general accounts and Fortress (128+ bits) for email, banking, crypto wallets, and recovery codes.
Use Cases
- Create a master password for Bitwarden, 1Password, LastPass, or Apple Passwords that is strong enough to protect every other account you own
- Generate one-off account passwords for Google, Facebook, Apple ID, Microsoft, Amazon, or any site that accepts a long random string and paste them straight into your password manager
- Produce a memorable passphrase for work laptop login, SSH key passphrase, GPG key, disk encryption (FileVault / BitLocker / LUKS), or a recovery phrase you have to type by hand
- Seed API keys, database admin passwords, app secrets, and service account tokens during deployment — the exclude-look-alikes option keeps them copy-paste safe
- Roll a fresh Wi-Fi password after a guest leaves or a device is lost, long enough that WPA2 brute force is hopeless
- Reset a compromised password reported by Have I Been Pwned or your password manager's breach monitor without reusing old patterns
Input/Output Examples
Input Intent
Password · 20 chars · all sets · exclude look-alikes
Output Intent
qH7%vT9#kLp2Bc$eNr4X
Input Intent
Passphrase · 5 words · hyphen · capitalized · digit
Output Intent
Cedar-Mango-Orbit4-Rustic-Piano
Input Intent
Passphrase · 7 words · dot · no digit
Output Intent
aqua.bison.clever.fable.harbor.melody.quartz
FAQ
What makes a password strong?+
Length and unpredictability. A strong password is long (16+ characters for random, 5+ words for passphrases), drawn from a wide pool of possibilities, and never reused between accounts. Dictionary words, names, birthdays, keyboard patterns (qwerty, 1234), and leetspeak substitutions (p@ssw0rd) all fall instantly to modern attackers running 100 billion guesses per second against leaked hashes. The math that matters is entropy in bits — the higher, the longer it takes to crack. Aim for 90 bits or more for anything you care about.
How do I make a strong password that I can actually remember?+
Switch to Passphrase mode. Five random words from the EFF short wordlist give you roughly 64 bits of entropy and are dramatically easier to memorize than a random character string — your brain stores words far better than symbols. Add a capitalization rule and a digit for extra bits. For anything more sensitive, go to 6 or 7 words. The key word is random: pick the words from the generator, not from your head, because human-chosen "random" words (your pet, your street, your favorite band) cluster around the same few thousand guesses an attacker already has.
What do Google, Apple, Facebook, Microsoft, and Amazon require?+
Google requires at least 8 characters and blocks known-compromised passwords via its Password Checkup service. Apple ID requires 8+ characters with at least one uppercase, one lowercase, and one digit. Microsoft accounts require 8+ characters with at least two of: uppercase, lowercase, digits, symbols. Facebook/Meta requires 6+ characters and actively rejects common and breached passwords. Amazon requires 6+ characters. These are floors, not ceilings — in practice every one of these services accepts and benefits from a 20-character random password or a 5-word passphrase generated here. Store it in a password manager and you never type it again.
Password or passphrase — which should I use?+
Use a random password whenever a password manager is filling it for you (virtually every web account today). Use a passphrase when you have to type it yourself: the master password for your password manager, your OS login, disk encryption, SSH key, or a recovery phrase. Passphrases optimize for memorability and typing speed; random passwords optimize for density (more entropy per character).
Is the generated password safe? Does anything leave my browser?+
Nothing leaves your browser. All random bytes come from crypto.getRandomValues, the Web Crypto API's cryptographically secure source, which browsers implement with OS-level entropy (getrandom on Linux, BCryptGenRandom on Windows, SecRandomCopyBytes on Apple platforms). The generator uses rejection sampling so every character in the allowed set is equally likely — no modulo bias. The page has no analytics on the generated value and no server round-trip.
What are "look-alike" characters and should I exclude them?+
Exclude them if the password will ever be read aloud, printed, written down, or typed manually. The ambiguous set is 0 and O, 1 and l and I, and the vertical bar | which is easily confused with l or 1. Excluding 6 characters from a pool of 94 costs less than 1 bit of entropy at 20 characters — negligible compared to the time saved when someone misreads a zero as an O.
How often should I change my password?+
Only when it has been compromised, when you stop trusting a person who knew it, or when a service you use is breached. NIST dropped forced periodic rotation from its guidelines in 2017 because it drives users to weaker, more predictable passwords (Password1, Password2…). A strong, unique, non-reused password can stay in use indefinitely. What matters is never reusing it across sites and replacing it immediately if it appears in a breach.
Do I still need a password if I have two-factor authentication?+
Yes. 2FA protects you when your password leaks; a strong password protects you when your second factor is unavailable or when the service's 2FA is bypassed (SIM swap, session-token theft, social engineering). Use both, use a password manager, and prefer app-based (TOTP) or hardware-key (FIDO2 / passkey) factors over SMS.
Why 128 bits for "Fortress"?+
At 128 bits, even an attacker with a billion GPUs guessing a trillion times per second would need longer than the age of the universe to exhaust half the keyspace. It is the standard symmetric-key strength used by AES-128 and is overkill for a login password but appropriate for recovery codes, seed phrases, and any secret that protects other secrets (like a password-manager master password).
Is an 8-character password strong enough?+
No — not for anything you care about. A random 8-character password drawn from all 94 printable ASCII characters has about 52 bits of entropy, which falls to a determined offline attacker in days and to a well-resourced one in hours. 8 characters is the absolute floor accepted by Google, Apple, and Microsoft; it is not a recommendation. Use the 8-character preset only when a legacy system refuses anything longer, and turn on two-factor authentication to compensate.
Is a 16-character password strong enough?+
Yes, for virtually every online account. A 16-character random password using upper/lowercase, digits, and symbols has about 105 bits of entropy — beyond what any realistic attacker can brute-force within the lifespan of the universe. 16 characters is this generator's default and a sensible target for everything except password-manager master passwords and encryption keys (where 20+ is better).
How do I generate a 15-character or 20-character password?+
Click the 15 or 20 chip directly below the length slider in Password mode. The chips (8, 12, 15, 16, 20, 32, 64) jump the slider to any common target in one click. The strength meter updates instantly so you can see whether your chosen length clears Strong (90+ bits) or Fortress (128+ bits).
What is a 3-word or 4-word password generator?+
Switch to Passphrase mode and use the 3-words or 4-words preset. A 3-word passphrase from the EFF short wordlist has about 31 bits of entropy — fine for a guest Wi-Fi password but too weak for an account. 4 words (~41 bits) is the minimum for low-risk logins. For anything important, use 5–7 words.
What is the best password manager?+
Bitwarden for open-source transparency and unlimited free cross-device sync, 1Password for polished UX if you are willing to pay, Apple Passwords or Google Password Manager if you stay within one ecosystem, Proton Pass for end-to-end encryption with a generous free tier, and KeePassXC if you want a fully offline vault you control. Any of them is a dramatic improvement over reusing passwords. Pair whichever you pick with a 6–7 word passphrase master password generated here.
Is this a bcrypt or password-hash generator?+
No — this tool generates the passwords themselves. Bcrypt, Argon2, scrypt, and PBKDF2 are hashing functions you apply on the server after a user submits their password, so the stored value is not the password itself. If you need to hash text (MD5, SHA-1, SHA-256, SHA-512) for non-password purposes, use our Hash Generator; if you need Apache or Nginx Basic Auth credentials (APR1-MD5, SHA-1), use our htpasswd Generator.
Can I generate multiple passwords at once?+
Yes — the bulk selector below the main options generates 5, 10, or 25 passwords (or passphrases) at a time using the current settings. Each entry has its own copy button. Useful for seeding service accounts, onboarding a team, or rolling a stack of API keys.
What does "memorable password generator" mean?+
A memorable password is one you can actually remember without writing it down. Pure random strings like qH7%vT9#kLp2Bc$e score high on entropy but are brutal to type or recite. Passphrase mode in this tool solves both problems: 5–6 random dictionary words give you 50+ bits of entropy (Strong) in a form your brain can hold after reading it twice. This is exactly what security professionals now recommend over the old "password with random symbols" school.
Explore More Tools
Discover related utilities in the Security category below.
Related tools
Handpicked utilities you might find useful
Security
Email Extractor
Extract unique email addresses from text, logs, and messy documents in one click.
Security
htpasswd Generator
Generate .htpasswd credentials for Apache and Nginx Basic Auth. Create APR1-MD5 or SHA-1 entries, build multi-user files, and follow practical setup steps to protect folders with .htaccess or server config.