Password Generator — Free Strong Passwords
Generate strong, secure random passwords instantly. Customise length, include uppercase, lowercase, numbers and symbols. Strength meter, bulk generate and copy with one click. Free, private, no sign-up.
🔐 Password Generator
Create strong, secure random passwords instantly. Customise length, characters, and strength. Everything runs in your browser — nothing is stored.
Bulk Passwords
What Makes a Password Strong?
Password strength depends primarily on length and randomness. A 16-character password using uppercase, lowercase, numbers, and symbols has approximately 95^16 possible combinations — that is over 4.4 x 10^31 possibilities. At 10 billion guesses per second, it would take trillions of years to brute-force. The most important rule: never reuse passwords across sites, and use a password manager to store them all securely.
How This Password Generator Works
This generator creates passwords using your browser's built-in cryptographic random number generator (crypto.getRandomValues) when available, falling back to Math.random(). Your password is generated entirely on your device — nothing is sent to any server, stored in any database, or logged anywhere. The source code runs in the page and can be inspected.
Password Length and Crack Time
| Length | Character Set | Combinations | Crack Time (10B/sec) |
|---|---|---|---|
| 8 chars | Lowercase only | 209 billion | 21 seconds |
| 8 chars | Mixed + numbers + symbols | 6.6 quadrillion | 7.6 days |
| 12 chars | Mixed + numbers + symbols | 5.4 x 10^23 | 1.7 million years |
| 16 chars | Mixed + numbers + symbols | 4.4 x 10^31 | 140 trillion years |
| 20 chars | Mixed + numbers + symbols | 3.6 x 10^39 | Effectively forever |
Every additional character multiplies the difficulty exponentially. Going from 8 to 16 characters doesn't double security — it increases it by a factor of billions.
Password Security Best Practices
- Use 16+ characters: Length matters more than complexity. A 20-character lowercase password is stronger than an 8-character complex one.
- Never reuse passwords: If one site is breached, attackers try your credentials on every other service (credential stuffing).
- Use a password manager: Bitwarden (free), 1Password, KeePass, or your browser's built-in manager. They generate and store unique passwords for every account.
- Enable two-factor authentication (2FA): Even if your password is stolen, 2FA blocks unauthorised access. Use an authenticator app over SMS.
- Never share passwords: Legitimate services will never ask for your password via email, phone, or message.
- Check for breaches: Use haveibeenpwned.com to check if your email or passwords have appeared in known data breaches.
Common Password Mistakes
- "Password123!" — Adding a number and symbol to a common word doesn't make it secure. Attackers try these patterns first.
- Personal info: Names, birthdays, pet names, and postcodes are easily guessable from social media.
- Dictionary words: Even uncommon words are cracked in seconds. Dictionary attacks test every word in every language.
- Keyboard patterns: "qwerty", "123456", "asdfgh" — these are in every attacker's wordlist.
- Slight variations: "P@ssw0rd" is not clever. Attackers use rules that substitute letters with numbers and symbols.
Passphrase Alternative
A passphrase like "correct-horse-battery-staple" (four random words) is both strong and memorable. With a 7,776-word list (like Diceware), four words give ~10^15 combinations. Passphrases work well for master passwords you need to remember. For everything else, use generated random passwords stored in a manager.
Two-Factor Authentication (2FA)
2FA adds a second layer beyond your password — typically a time-based code from an app like Google Authenticator or Authy. Even if an attacker has your password, they can't access your account without the second factor. Enable 2FA on every account that supports it, especially email, banking, and social media. Authenticator apps are more secure than SMS-based 2FA.
Related Tools
Frequently Asked Questions
At least 12 characters, ideally 16+. Every additional character makes it exponentially harder to crack.
No. Everything runs in your browser. Nothing is sent to any server or logged.
Never. Use a unique password for every account. Store them in a password manager.
Length is most important. A 16-character random password with mixed characters would take trillions of years to crack.
Yes. Bitwarden (free), 1Password, or KeePass are recommended. They generate and store unique passwords for every account.
No. Attackers use substitution rules that test these variations automatically. Use a fully random generated password instead.