How long should a password be?

At minimum 12 characters, but 16+ is recommended. Longer passwords are exponentially harder to crack. A 20-character password with mixed characters is essentially unbreakable by brute force.

Is this password generator secure?

Yes, the password is generated entirely in your browser using JavaScript's crypto API. No password is ever sent to a server or stored anywhere.

What makes a strong password?

Length is the most important factor, followed by character variety. Use uppercase, lowercase, numbers, and symbols. Avoid dictionary words, personal information, and common patterns like "123" or "abc".

Should I memorize generated passwords?

No. Use a password manager. The whole point of generating random passwords is that they're too random to memorize, and the manager fills them in automatically.

Password Generator

Create strong, random passwords with your preferred length and character options. The calculator shows password strength, entropy bits, and estimated time to crack. All generation happens in your browser with no data sent to any server.

A strong password is one that can't be guessed, looked up, or brute-forced in any practical amount of time. The single biggest factor in password strength is length, followed by the character set used. A 16-character random password drawn from 95 printable ASCII characters has about 105 bits of entropy — orders of magnitude beyond what current and foreseeable computing can brute-force.

This generator creates passwords using the browser's cryptographic random number generator (window.crypto.getRandomValues), which is the same source security-sensitive code uses. Nothing is sent to any server. You choose the length and character classes (uppercase, lowercase, digits, symbols), and the generator produces a password along with an entropy estimate and time-to-crack figure based on standard offline-hash assumptions.

Combine a strong generated password with a password manager (1Password, Bitwarden, Apple Keychain, etc.) and you've solved most of the practical password-security problem for individual accounts. The remaining risks — phishing, credential stuffing from breaches at sites you don't control — are addressed with two-factor authentication and unique passwords per site.

Inputs

Password Length

Include Uppercase (A-Z)

Include Lowercase (a-z)

Include Numbers (0-9)

Include Symbols (!@#$...)

Results

Generated Password

4!U.{@}86#L&CUxH

Strength

Very Strong

Entropy

103 bits

Crack Time

Billions of years+

Password Details

Detail	Value
Password Length	16 characters
Character Set Size	88 characters
Entropy	103.4 bits
Strength	Very Strong
Crack Time (10B/sec)	Billions of years+

Last updated: April 16, 2026

Formula

Entropy (bits) = log₂(charset_size ^ length) = length × log₂(charset_size) Character set sizes: Lowercase only: 26 Lowercase + uppercase: 52 Letters + digits: 62 Letters + digits + 32 symbols: 94 Time to crack (offline, fast attacker at 100 billion guesses/sec): Time = 2^entropy / 100,000,000,000 / 2 (average half search space) Examples: 8-char lowercase: ~38 bits → seconds 12-char mixed: ~71 bits → ≈ 60 days 16-char mixed: ~105 bits → ≈ 10²¹ years (heat-death-of-universe scale) Entropy doubles for every extra "bit" of character. Going from 8 to 16 characters with the same charset more than doubles the entropy — it squares the search space.

How to use this calculator

Choose a length. 16 characters is a sensible default for accounts you log in to manually; 24+ for high-value accounts (banking, email, password manager itself).
Choose which character classes to include. More classes = larger charset = stronger password for the same length.
Generate. Copy the result and store it in a password manager rather than memorizing it.
Use a unique password for every site. The biggest risk is credential reuse — when site A is breached and you used the same password at site B, attackers will try it at B.
Enable two-factor authentication (2FA) on every account that supports it, especially email and your password manager. 2FA is more impactful than any password choice.

Worked examples

Site password

16 characters, all classes enabled Example output: K9#mp2$xRq7nVw4! Entropy: ≈ 105 bits Brute-force time: practically infinite at current speeds Store this in a password manager; don't try to remember it.

Passphrase alternative

For passwords you need to type frequently (laptop login, password manager master password), a 4–6 word random passphrase is easier to remember than random characters and can be just as strong: correct-horse-battery-staple-bonus ≈ 65 bits entropy if words are truly random from a large list Combine with 2FA for very strong security.

When to use this calculator

Use this any time you create a new account or change a compromised password. Store the result in a password manager rather than a sticky note or text file.

The minimum length to use for different contexts: - Forum or low-stakes site you might never visit again: 12+ chars - Banking, government, healthcare: 16+ chars - Email (because it controls password resets everywhere else): 20+ chars - Password manager master password: 24+ chars OR a long random passphrase

Pair every generated password with 2FA where supported. NIST guidance (SP 800-63B) supports very long passwords without forced-rotation, and discourages mandatory complexity rules — but real-world account security depends more on uniqueness per site and 2FA than on any specific character recipe.

Common mistakes to avoid

Reusing the same password across multiple sites. One breach exposes all of them.
Picking a password that looks random but is a pattern (Qwerty123!, P@ssw0rd!). Attackers run these first.
Storing passwords in a browser without a master password. Browser-stored passwords are accessible to anyone who unlocks the device.
Forgetting that 2FA matters more than complexity. A 25-character master password with no 2FA is weaker than a 12-character password with 2FA + hardware key.
Writing passwords on paper near the computer. Common in offices.
Using "memorable" substitutions (3 for E, 0 for O, $ for S). Attackers know these.

Frequently Asked Questions

Sources & further reading

NIST Digital Identity Guidelines (SP 800-63B) — U.S. National Institute of Standards and Technology
CISA password guidance — U.S. Cybersecurity and Infrastructure Security Agency

SponsoredShop Top Deals on AmazonSupport CalcMountain — browse top-rated products at no extra cost to you.

Related Calculators

IP Subnet Calculator

Calculate subnet mask, network address, broadcast, and usable host range from CIDR.

Color Converter

Convert colors between HEX, RGB, and HSL formats.