Password Generator
Generate secure, random passwords with customizable length and character types.
Recent Passwords
Password Tips
- ✓Use at least 12 characters for better security
- ✓Include a mix of letters, numbers, and symbols
- ✓Use a unique password for each account
- ✓Consider using a password manager
Understanding Password Entropy & Strength
Password entropy measures the unpredictability and strength of a password in bits. Higher entropy means more possible combinations, making passwords exponentially harder to crack through brute force attacks.
| Entropy (bits) | Strength Level | Crack Time (10B guesses/sec) | Use Case |
|---|---|---|---|
| <28 | Very Weak | Instant | Never use |
| 28-35 | Weak | Minutes | Temporary/throwaway |
| 36-59 | Moderate | Hours to days | Low-security accounts |
| 60-79 | Strong | Years to decades | Standard accounts |
| 80-99 | Very Strong | Centuries | Important accounts |
| 100+ | Excellent | Beyond human timeframe | Critical security |
Character Set Sizes & Their Impact
The character pool size (R) dramatically affects password strength. Each additional character type increases the search space exponentially, making brute force attacks significantly more difficult.
| Character Set | Pool Size (R) | Bits per Character | 12-Char Entropy |
|---|---|---|---|
| Numbers only (0-9) | 10 | 3.32 | 39.9 bits |
| Lowercase (a-z) | 26 | 4.70 | 56.4 bits |
| Lower + Upper | 52 | 5.70 | 68.4 bits |
| Alphanumeric | 62 | 5.95 | 71.4 bits |
| + Common Symbols | 75 | 6.23 | 74.8 bits |
| All Printable ASCII | 95 | 6.57 | 78.8 bits |
| Extended ASCII | 191 | 7.58 | 90.9 bits |
Password Length Recommendations by Use Case
Password length is the single most important factor in password strength. Each additional character multiplies the search space by the character pool size, providing exponential security improvement.
| Use Case | Minimum Length | Recommended | Character Types |
|---|---|---|---|
| Forum/blog account | 10 | 12 | Mixed case + numbers |
| Email account | 12 | 16 | Full character set |
| Financial accounts | 14 | 20 | Full character set |
| Password manager master | 16 | 20+ | Full + memorable |
| Encryption keys | 20 | 24+ | Full character set |
| High-security systems | 24 | 32+ | Full character set |
Common Password Attack Methods & Defense
Understanding attack methods helps create passwords that resist real-world cracking attempts. Modern attackers use sophisticated techniques beyond simple brute force.
| Attack Type | Method | Speed | Defense |
|---|---|---|---|
| Brute Force | Try every combination | 10B-1T/sec (GPU) | Length + complexity |
| Dictionary Attack | Common words/passwords | Millions/sec | Avoid dictionary words |
| Rule-based | Common substitutions | Fast | Avoid predictable patterns |
| Rainbow Tables | Pre-computed hashes | Lookup speed | Salted hashes (server-side) |
| Credential Stuffing | Reused passwords | Rate-limited | Unique passwords |
| Phishing | User deception | Social engineering | 2FA + vigilance |
Weak Patterns to Avoid
Attackers know common password patterns and prioritize them in cracking attempts. These patterns reduce effective entropy far below theoretical calculations.
| Weak Pattern | Example | Problem | Better Alternative |
|---|---|---|---|
| Common substitutions | P@ssw0rd | In every cracking dictionary | Random generation |
| Keyboard patterns | qwerty123 | Easily enumerated | No sequential keys |
| Personal info | John1985! | Socially engineerable | No personal data |
| Dates | password2024 | Limited date range | Random numbers |
| Single case + number | password1 | Minimal entropy gain | Mixed throughout |
| Repeated characters | aaaa1111 | Reduces search space | Full randomization |
Passphrase vs Random Password Comparison
Passphrases use random words instead of characters, offering high entropy while remaining memorable. The Diceware method uses dice to select words from a standardized list.
| Method | Example | Entropy | Memorability |
|---|---|---|---|
| 4-word passphrase | correct horse battery staple | ~51 bits | Excellent |
| 5-word passphrase | piano giraffe meadow clock sunset | ~64 bits | Good |
| 6-word passphrase | oak lunch river phone sand dream | ~77 bits | Moderate |
| 12-char random | Xk9$mP2&nQ7! | ~78 bits | Poor |
| 16-char random | aB3$kM9&pQ2!xN7@ | ~105 bits | Very Poor |
| 20-char random | Hk2$bN9&mP4!qR7@xL5% | ~131 bits | Use manager |
Worked Examples
Calculating Password Entropy
Problem:
A user generates a 16-character password using all printable ASCII characters (95 total). Calculate the entropy.
Solution Steps:
- 1Identify the formula: Entropy = L × log₂(R)
- 2L = 16 characters, R = 95 printable ASCII characters
- 3Calculate log₂(95) = 6.57 bits per character
- 4Entropy = 16 × 6.57 = 105.12 bits
- 5Compare to table: 100+ bits is 'Excellent' strength
Result:
The 16-character password has 105.12 bits of entropy, rated 'Excellent'. At 10 billion guesses per second, brute force would take longer than the age of the universe.
Comparing Password Options
Problem:
Compare these passwords: (A) 'Summer2024!' (11 chars, predictable), (B) 'xK9m$P2q' (8 chars, random), (C) 'piano river clock sunset' (passphrase)
Solution Steps:
- 1Password A: Uses pattern (word+year+symbol), effective entropy ~20 bits (pattern-based attacks)
- 2Password B: 8 chars × 6.57 bits = 52.6 bits theoretical entropy
- 3Password C: 4 Diceware words × 12.9 bits = 51.6 bits entropy
- 4Password B and C have similar entropy, but C is more memorable
- 5Password A is weakest despite being longest (predictable pattern)
Result:
Password C (passphrase) offers the best balance: 51.6 bits entropy with excellent memorability. Password A should never be used despite its length.
Time to Crack Estimation
Problem:
Estimate crack time for a 14-character alphanumeric password (62 character set) against a high-end GPU cluster doing 100 billion guesses/second.
Solution Steps:
- 1Calculate entropy: 14 × log₂(62) = 14 × 5.95 = 83.3 bits
- 2Total combinations: 2^83.3 = 1.28 × 10²⁵
- 3Time at 100B guesses/sec: (1.28 × 10²⁵) / (10¹¹) seconds
- 4= 1.28 × 10¹⁴ seconds = 4.06 million years (average)
- 550% chance of cracking = 2.03 million years
Result:
Even with 100 billion guesses per second, the 14-character alphanumeric password would take over 2 million years on average to crack through brute force.
Tips & Best Practices
- ✓Use a password manager to generate and store unique passwords for every account—this eliminates password reuse, the biggest real-world vulnerability
- ✓Enable two-factor authentication (2FA) wherever available—even a compromised password won't give attackers access with 2FA enabled
- ✓For master passwords you must memorize, use a 5-6 word Diceware passphrase—it provides high entropy while remaining memorable
- ✓Never use personal information (birthdays, names, addresses) in passwords—this data is often publicly available or easily discovered
- ✓Check if your passwords have been exposed in data breaches at haveibeenpwned.com and change any compromised passwords immediately
- ✓When generating random passwords, use cryptographically secure random number generators—browser Math.random() is not cryptographically secure
- ✓Store recovery codes and backup keys securely offline (printed or encrypted USB)—losing access to 2FA can permanently lock you out of accounts
Frequently Asked Questions
Sources & References
Last updated: 2026-01-22