TXT · Text & Data tools

Password & Passphrase Generator

Generated Output
StrengthVery strong
129.2 bitsentropy88 charspoollonger than the age of the universeoffline crack time

Entropy is the only number that matters

Password strength rules (“one uppercase, one symbol”) are proxies. The real measure is entropy: how many equally likely possibilities an attacker must search. This generator computes it exactly from your settings and shows it live. Each character drawn from a 94-character pool adds about 6.6 bits; each word drawn from a 2048-word list adds exactly 11.

Rules of thumb: 40 bits falls to a determined attacker in hours, 60 bits is reasonable for accounts behind rate limiting, 80 bits resists serious offline cracking, and 100+ bits is beyond any realistic attack. The crack-time estimate translates the bits into time at 10 billion guesses per second, an achievable rate against fast hashes like unsalted SHA-256.

Password mode

Random characters from the sets you enable: uppercase, lowercase, digits, and symbols, from 8 to 64 characters. All four sets at length 20 gives about 131 bits.

Exclude ambiguous strips look-alike characters (I, l, 1, O, 0, and similar) for secrets that will be read and retyped, such as a Wi-Fi password on a whiteboard. The entropy display drops slightly to reflect the smaller pool, which is the honest accounting most generators skip.

Passphrase mode

Words drawn from the BIP39 wordlist, the same 2048-word list that secures cryptocurrency wallets. Its words are chosen to be short, common, and distinct in their first four letters, which makes phrases easy to type without error.

Five words (55 bits) suits most account passwords; six or seven (66 to 77 bits) suits a password manager’s master password, which is worth the extra typing since it unlocks everything else. Capitalize words and the separator choice exist to satisfy complexity rules, not to add strength: the security is in the word choice, which is why the bits display does not change when you toggle them. Add a digit appends a random digit to a random word and does add a few bits.

PIN mode

Random digits for device unlock codes and similar low-entropy contexts. A 6-digit PIN carries just under 20 bits, which only works when the verifier enforces lockouts after a few attempts; the crack-time estimate makes clear how fast a PIN falls without that protection.

Randomness details

All selection uses crypto.getRandomValues with rejection sampling. The naive random() % poolSize approach makes earlier pool characters slightly more likely whenever the pool size does not divide the generator’s range evenly; rejection sampling discards the biased region entirely, so every character and word is exactly equally likely.

Frequently Asked Questions

Three kinds of secrets: random character passwords with configurable length and character sets, passphrases built from a 2048-word list with your choice of separator, and numeric PINs. A count setting generates a batch, one per line.

Every random choice uses the Web Crypto API (crypto.getRandomValues), the browser's cryptographically secure generator, with rejection sampling so no character is statistically favored. Math.random is never involved.

Strength is measured in entropy bits, shown live. Each word from the 2048-word list adds 11 bits, so a 5-word passphrase carries 55 bits, comparable to a 9-character random password using all character sets, and far easier to type and remember.

An offline attacker guessing 10 billion passwords per second against a fast hash, finding the password after half the search space on average. Against a properly slow hash like bcrypt or Argon2, real attacks run millions of times slower.

It removes characters that look alike in many fonts, such as I, l, 1, O, and 0. Use it for passwords someone will read from paper or a screen and retype. It slightly reduces entropy per character, and the bits display reflects that.

No. Generated secrets exist only on the page and are never written to the URL; only your settings like length and character sets appear there. Regenerating or closing the tab discards them.

Explore Our Tools

Browse all tools