Options
Every selected set is guaranteed to appear at least once. A few sites reject some symbols - if one does, just generate again without them.
Words are drawn from a curated 1,024-word list, so each word adds exactly 10 bits of entropy. Capitalization is predictable and adds none - it is there for sites that demand an uppercase letter.
PINs are only safe where guesses are limited - like a phone lock screen or bank card that locks after a few attempts. Never use a PIN as a website password.
Recent (this session only)
Passwords you generate with the New button or copy appear here, so a click-happy finger never loses one. History lives in memory only - it is never saved, and disappears when you leave this page.
Powered by your browser's built-in cryptographic random number generator (CSPRNG) with unbiased rejection sampling - not the guessable Math.random() many tools use.
No network requests, no analytics, no storage. Generated passwords exist only on your screen and in session memory - gone the moment you leave.
No sign-up, no limits, no ads chasing you around. It even keeps working offline once the page has loaded.
How long does it take to crack a password?
It depends almost entirely on two things: how long the password is, and how many different character sets it draws from. Each extra character multiplies the number of possibilities, which is why a 16-character password is not twice as strong as an 8-character one - it is quadrillions of times stronger. Here is the time needed to try every combination at one trillion guesses per second, the speed of a serious offline attack:
| Length | Lowercase only | Letters + digits | Letters, digits + symbols |
|---|---|---|---|
| 8 characters | instant | 4 minutes | 2 hours |
| 10 characters | 2 minutes | 10 days | 2 years |
| 12 characters | about a day | 100 years | 15,000 years |
| 14 characters | 2 years | 400,000 years | 130 million years |
| 16 characters | 1,400 years | 1.5 billion years | 1 trillion years |
| 20 characters | 630 million years | 22 quadrillion years | 90 quintillion years |
Real attackers rarely start with brute force: they first try leaked passwords, dictionary words, and predictable patterns like Summer2026!. That is exactly why generated randomness matters - a truly random password appears on no list anywhere, so exhaustive search is the only attack left, and the table above shows how hopeless that is.
Password vs. passphrase: which should you use?
A passphrase is a sequence of random words - the famous correct horse battery staple idea from the xkcd comic. Words are dramatically easier for humans to remember and type than symbol soup, and when each word is chosen at random from this tool's 1,024-word list, every word contributes exactly 10 bits of entropy. Six words gives 60 bits - roughly as strong as a fully random 9-character password using all character sets - while being far easier to memorize.
Passphrases shine brightest against realistic attack speeds. Sites that store passwords properly use deliberately slow hashes such as bcrypt, which cut attackers from a trillion guesses per second to a few hundred thousand:
| Words | Entropy | Fast hash | Slow hash (bcrypt) |
|---|---|---|---|
| 4 words | 40 bits | about a second | 2 months |
| 5 words | 50 bits | 19 minutes | 180 years |
| 6 words | 60 bits | 13 days | 180,000 years |
| 7 words | 70 bits | 37 years | 190 million years |
| 8 words | 80 bits | 38,000 years | 190 billion years |
A sensible split: use long random passwords from a password manager for the hundreds of accounts it fills in for you, and a 6–8 word passphrase for the few secrets you must actually type or remember - your manager's master password, your computer login, your disk encryption.
How to create a strong password (and keep it strong)
- One account, one password. Reuse is how a forum breach becomes a bank breach: attackers replay leaked credentials everywhere, an attack called credential stuffing.
- Length beats cleverness. Current NIST guidance (SP 800-63B) favors long passwords over composition rules and drops forced periodic resets - change a password when there is evidence of compromise, not on a calendar.
- Use a password manager. It remembers hundreds of unique random passwords so you only ever memorize one great passphrase.
- Turn on two-factor authentication - or better, passkeys - so a stolen password alone is not enough to get in.
- Check your exposure. See whether your email appears in known breaches at Have I Been Pwned, and change any password involved.
- Keep secrets out of plain text. Never store passwords in notes files, email drafts, or chat messages.
The 10 most common passwords in the world
Analyses of breached credential lists find the same strings at the top year after year. Every one of them cracks instantly:
| Rank | Password | Time to crack |
|---|---|---|
| 1 | 123456 | instant |
| 2 | 123456789 | instant |
| 3 | 12345678 | instant |
| 4 | password | instant |
| 5 | qwerty123 | instant |
| 6 | qwerty1 | instant |
| 7 | 111111 | instant |
| 8 | 12345 | instant |
| 9 | secret | instant |
| 10 | 123123 | instant |
Frequently asked questions
Is it safe to use an online password generator?
It depends on the generator. This one is safe by design: passwords are created by the cryptographic random number generator built into your own browser, the page makes no network requests, and nothing you generate is ever transmitted, logged, or stored. You can verify this yourself - watch the network tab in your browser's developer tools, or load the page once and use it with Wi-Fi turned off.
How long should a password be in 2026?
Use at least 16 random characters for anything important, or a passphrase of six or more words. Current NIST guidance recommends length over complexity rules - a longer simple password beats a short convoluted one. Every character you add multiplies the work an attacker must do, so length is the cheapest security upgrade there is.
What is the strongest type of password?
A long, fully random string using all four character sets is strongest per character - a random 20-character password has about 131 bits of entropy and is effectively uncrackable with today's hardware. For passwords you must remember or type by hand, a six-to-eight word passphrase is a better balance: slightly fewer bits, far easier to recall, and much faster to type on a phone.
Are passphrases really as secure as random passwords?
Yes, when the words are chosen randomly rather than invented. Each word drawn from this tool's 1,024-word list adds exactly 10 bits of entropy, so six words gives 60 bits and eight words gives 80 - comparable to a fully random 12-character password. The security comes from random selection: a lyric, quote, or sentence you thought up yourself is dramatically weaker, because attackers try those first.
How accurate are the time-to-crack estimates?
They assume a worst-case offline attack: someone who has stolen your password's hash trying one trillion guesses per second, roughly what a rack of modern GPUs achieves against a fast hash like NTLM or MD5. Real conditions are usually far better for you - websites throttle login attempts to a handful per minute, and slow hashes like bcrypt cut attack speed by a factor of millions. Treat the estimate as a conservative floor, not a guarantee.
Do you store or ever see the passwords I generate?
No. Generation happens entirely on your device, the page makes no network requests, and there are no analytics or trackers. Nothing is written to disk either - this tool deliberately has no autosave, and the recent-passwords panel lives only in memory and vanishes the moment you close or reload the tab.
Why is reusing a password so dangerous?
Because breaches are routine. When any site you use is hacked, criminals take the leaked email and password pairs and automatically try them on banks, email providers, and shops - an attack called credential stuffing that succeeds against a meaningful share of accounts. A unique random password for every site means one breach compromises one account instead of your whole digital life. This is the problem password managers solve.
Does this password generator work offline?
Yes. The entire tool is one self-contained page with no server calls, and the random number generator is part of your browser itself - so once the page has loaded, it keeps working without a connection. You can save it to your device and generate passwords anywhere.