WB Password Generator

Generate strong random passwords, passphrases, and PINs with honest time-to-crack estimates. 100% private - nothing leaves your browser.

🔒 100% private - passwords are generated on your device and never sent, logged, or stored

Options

Every selected set is guaranteed to appear at least once. A few sites reject some symbols - if one does, just generate again without them.

Recent (this session only)

    Passwords you generate with the New button or copy appear here, so a click-happy finger never loses one. History lives in memory only - it is never saved, and disappears when you leave this page.

    Truly random

    Powered by your browser's built-in cryptographic random number generator (CSPRNG) with unbiased rejection sampling - not the guessable Math.random() many tools use.

    Private by design

    No network requests, no analytics, no storage. Generated passwords exist only on your screen and in session memory - gone the moment you leave.

    Free, forever

    No sign-up, no limits, no ads chasing you around. It even keeps working offline once the page has loaded.

    How long does it take to crack a password?

    It depends almost entirely on two things: how long the password is, and how many different character sets it draws from. Each extra character multiplies the number of possibilities, which is why a 16-character password is not twice as strong as an 8-character one - it is quadrillions of times stronger. Here is the time needed to try every combination at one trillion guesses per second, the speed of a serious offline attack:

    Time to exhaust all combinations at 10¹² guesses/sec (offline attack on a fast hash). Lowercase = 26 characters; letters + digits = 62; all printable = 94.
    LengthLowercase onlyLetters + digitsLetters, digits + symbols
    8 charactersinstant4 minutes2 hours
    10 characters2 minutes10 days2 years
    12 charactersabout a day100 years15,000 years
    14 characters2 years400,000 years130 million years
    16 characters1,400 years1.5 billion years1 trillion years
    20 characters630 million years22 quadrillion years90 quintillion years

    Real attackers rarely start with brute force: they first try leaked passwords, dictionary words, and predictable patterns like Summer2026!. That is exactly why generated randomness matters - a truly random password appears on no list anywhere, so exhaustive search is the only attack left, and the table above shows how hopeless that is.

    Password vs. passphrase: which should you use?

    A passphrase is a sequence of random words - the famous correct horse battery staple idea from the xkcd comic. Words are dramatically easier for humans to remember and type than symbol soup, and when each word is chosen at random from this tool's 1,024-word list, every word contributes exactly 10 bits of entropy. Six words gives 60 bits - roughly as strong as a fully random 9-character password using all character sets - while being far easier to memorize.

    Passphrases shine brightest against realistic attack speeds. Sites that store passwords properly use deliberately slow hashes such as bcrypt, which cut attackers from a trillion guesses per second to a few hundred thousand:

    Time to exhaust all combinations of words from a 1,024-word list. Fast hash = 10¹² guesses/sec; slow hash (bcrypt) = 200,000 guesses/sec.
    WordsEntropyFast hashSlow hash (bcrypt)
    4 words40 bitsabout a second2 months
    5 words50 bits19 minutes180 years
    6 words60 bits13 days180,000 years
    7 words70 bits37 years190 million years
    8 words80 bits38,000 years190 billion years

    A sensible split: use long random passwords from a password manager for the hundreds of accounts it fills in for you, and a 6–8 word passphrase for the few secrets you must actually type or remember - your manager's master password, your computer login, your disk encryption.

    How to create a strong password (and keep it strong)

    The 10 most common passwords in the world

    Analyses of breached credential lists find the same strings at the top year after year. Every one of them cracks instantly:

    Compiled from public analyses of breached credential lists. If your password is here - or anywhere close - change it today.
    RankPasswordTime to crack
    1123456instant
    2123456789instant
    312345678instant
    4passwordinstant
    5qwerty123instant
    6qwerty1instant
    7111111instant
    812345instant
    9secretinstant
    10123123instant

    Frequently asked questions

    Is it safe to use an online password generator?

    It depends on the generator. This one is safe by design: passwords are created by the cryptographic random number generator built into your own browser, the page makes no network requests, and nothing you generate is ever transmitted, logged, or stored. You can verify this yourself - watch the network tab in your browser's developer tools, or load the page once and use it with Wi-Fi turned off.

    How long should a password be in 2026?

    Use at least 16 random characters for anything important, or a passphrase of six or more words. Current NIST guidance recommends length over complexity rules - a longer simple password beats a short convoluted one. Every character you add multiplies the work an attacker must do, so length is the cheapest security upgrade there is.

    What is the strongest type of password?

    A long, fully random string using all four character sets is strongest per character - a random 20-character password has about 131 bits of entropy and is effectively uncrackable with today's hardware. For passwords you must remember or type by hand, a six-to-eight word passphrase is a better balance: slightly fewer bits, far easier to recall, and much faster to type on a phone.

    Are passphrases really as secure as random passwords?

    Yes, when the words are chosen randomly rather than invented. Each word drawn from this tool's 1,024-word list adds exactly 10 bits of entropy, so six words gives 60 bits and eight words gives 80 - comparable to a fully random 12-character password. The security comes from random selection: a lyric, quote, or sentence you thought up yourself is dramatically weaker, because attackers try those first.

    How accurate are the time-to-crack estimates?

    They assume a worst-case offline attack: someone who has stolen your password's hash trying one trillion guesses per second, roughly what a rack of modern GPUs achieves against a fast hash like NTLM or MD5. Real conditions are usually far better for you - websites throttle login attempts to a handful per minute, and slow hashes like bcrypt cut attack speed by a factor of millions. Treat the estimate as a conservative floor, not a guarantee.

    Do you store or ever see the passwords I generate?

    No. Generation happens entirely on your device, the page makes no network requests, and there are no analytics or trackers. Nothing is written to disk either - this tool deliberately has no autosave, and the recent-passwords panel lives only in memory and vanishes the moment you close or reload the tab.

    Why is reusing a password so dangerous?

    Because breaches are routine. When any site you use is hacked, criminals take the leaked email and password pairs and automatically try them on banks, email providers, and shops - an attack called credential stuffing that succeeds against a meaningful share of accounts. A unique random password for every site means one breach compromises one account instead of your whole digital life. This is the problem password managers solve.

    Does this password generator work offline?

    Yes. The entire tool is one self-contained page with no server calls, and the random number generator is part of your browser itself - so once the page has loaded, it keeps working without a connection. You can save it to your device and generate passwords anywhere.