Password Generator

Reference

What makes a strong password?

A strong password combines length, character variety, and randomness. Length is the single most important factor — NIST SP 800-63B recommends at least 16 characters for sensitive accounts. Mixing character types (uppercase, lowercase, numbers, symbols) multiplies the number of possible combinations exponentially.

Password entropy

Entropy E = log₂(R^L), where R is the character set size and L is the length. A 20-character password using all character types (~94 chars) gives roughly 131 bits of entropy — considered unbreakable with current and near-future technology. The OWASP Authentication Cheat Sheet recommends entropy proportional to your threat model; 128+ bits is the practical gold standard.

Best practices

• Use at least 16 characters for sensitive accounts (email, banking, work). Longer passwords exponentially raise the cost of cracking.
• Never reuse passwords across sites. If one service is breached, attackers will test your credentials everywhere else.
• Store passwords in a password manager (Bitwarden, 1Password, KeePass). You only need to remember one master password.
• Enable two-factor authentication (2FA) wherever possible — even a leaked password cannot unlock an account protected by a second factor.

NIST password guidelines

NIST SP 800-63B (2017, updated 2024) recommends a minimum of 8 characters for user-chosen passwords and no arbitrary complexity rules (e.g., requiring a symbol and a number). Instead, NIST advises checking passwords against breached password lists (like Have I Been Pwned) and encouraging longer passphrases. The single most effective defense is length — a 20+ character random password generated by this tool far exceeds any compliance requirement.

Privacy

Passwords are generated 100% in your browser using crypto.getRandomValues() from the Web Crypto API. Nothing is ever sent to a server.