What is a passphrase and is it more secure than a password?

A passphrase is a sequence of random words (e.g. correct-horse-battery-staple). Despite being more memorable, a 4-word passphrase from a 7,776-word wordlist has about 51 bits of entropy - comparable to a fully random 10-character password. With 5-6 words it becomes stronger than most passwords while remaining easy to remember.

What does entropy mean for passwords?

Entropy measures how unpredictable a password is, in bits. Each bit doubles the number of possible combinations an attacker must try. A password with 60 bits of entropy has 2^60 possible combinations. Above 80 bits is considered very strong; 128 bits is effectively unbreakable with current technology.

What is the difference between a random password and a pronounceable password?

A random password (e.g. xK9#mQp2) is maximally unpredictable but hard to remember. A pronounceable password (e.g. Baletimof42!) is built from consonant-vowel syllable patterns, making it sayable and more memorable while still being random and strong. Use random passwords when stored in a manager, pronounceable when you must memorise the password.

Password Generator - 6 Modes, Strength Meter & Crack Time Estimate

Q: How long should a password be?

Security experts recommend a minimum of 14-16 characters for important accounts. Length is the single most powerful factor - each additional character multiplies the possible combinations exponentially. A 20-character password is vastly more secure than a 12-character one, even without special characters.

Q: Is this password generator safe to use?

Yes. All password generation happens entirely in your browser using the cryptographically secure crypto.getRandomValues() API. No passwords are sent to our servers, logged, or stored anywhere. You can disconnect from the internet and the tool still works.

Q: Should I use a password manager?

Yes. A password manager is the only practical way to use a unique, strong password for every account. Without one, people inevitably reuse passwords - which is the number one cause of account takeovers. Use this generator to create strong passwords and store them in a manager like Bitwarden (free), 1Password, or NordPass.

Generate cryptographically strong passwords in 6 modes - random, passphrase, pronounceable, PIN, pattern, and API secret keys. Instant strength score with real entropy bits, crack-time against brute-force and GPU attacks, bulk export, site-specific presets. Everything runs in your browser. Nothing is ever sent to our servers.

Always Free crypto.getRandomValues() 6 generation modes Works offline

Random · Passphrase · Pronounceable · PIN · Pattern · API Key

Cryptographically secure - uses browser's crypto.getRandomValues(), not Math.random()

Zero server contact - passwords are never transmitted, logged, or stored anywhere

Crack time estimate against offline brute-force, dictionary, and GPU attacks

Use a different password for every account. If one site is breached, attackers try the same password on banking, email, and social sites - this is called credential stuffing.

Generation mode

Site presets — auto-configures requirements

Press Space to regenerate

Click generate to create your password

— 0 bits

💻

Online attack

—

1K guesses/sec

🖥️

Offline brute-force

—

1B guesses/sec

⚡

GPU cluster

—

100B guesses/sec

Bulk generator — same settings, multiple passwords

Count:

Click "Generate all" to create multiple passwords at once

Session history — last 20 passwords generated

No passwords generated yet this session

History is stored only in this browser tab and is erased when you close it. Nothing is sent to our servers.

What's different

Most generators give you a random string.
This one explains why it's strong or weak.

Real entropy bits, crack-time against actual attack models, 6 generation modes, bulk export, site presets - not just a character checkbox and a copy button.

Real entropy calculation

See the actual information-theoretic entropy of your password in bits, not just a vague "weak/strong" label. Understand exactly what makes your password more or less guessable.

understand your security

3-scenario crack time

Crack time is shown against three real attack scenarios: online throttled attacks (1K/s), offline brute-force (1B/s), and GPU cluster attacks (100B/s). Actual numbers, not guesses.

three attack models

6 generation modes

Random for maximum entropy, Passphrase for memorability, Pronounceable for accounts without a manager, PIN for devices, Pattern for company format requirements, and API keys for developers.

right type for the use case

Site-specific presets

Banking, email, social, gaming, Wi-Fi, enterprise, master password, and crypto presets auto-configure the generator to meet the actual requirements and best practices for each context.

no manual settings needed

Bulk generator

Generate up to 50 passwords at once using your current settings. Copy all to clipboard or download as a .txt file. Perfect for seeding user accounts, testing, or handing out temporary credentials.

50 passwords in one click

crypto.getRandomValues()

We use the browser's cryptographic random number generator - the same one used by password managers and security software - never the predictable Math.random(). Nothing is sent to our servers.

actually cryptographically secure

Quick guide

Create a strong password in 3 steps

Choose a mode and preset

Select a generation mode (Random for stored passwords, Passphrase if you need to memorise it), then optionally click a site preset to auto-configure length and character requirements.

Check the strength score

Look at the entropy bits and crack-time cards. Aim for at least 60 bits of entropy. If the GPU crack time is under 1 million years, increase the length or add more character types.

Copy and save in a manager

Copy the password, then immediately save it in a password manager (Bitwarden is free). Never store passwords in notes, spreadsheets, or browser autofill on shared devices.

Why password length matters more than complexity

The conventional wisdom that special characters make passwords secure is partially true - but length is the dominant factor. A 20-character password using only lowercase letters has more possible combinations than a 12-character password using every character type. Each additional character multiplies the keyspace exponentially.

0-28 bits
Trivial

29-35
Weak

36-59
Moderate

60-79
Strong

80-99
Very strong

100+
Extreme

When to use each generation mode

Mode	Best for	Typical entropy	Memorable?
Random	Any stored password in a manager	80-130 bits	No - store it
Passphrase	Master passwords, accounts you must type	51-90 bits	Yes - 4+ words
Pronounceable	Accounts without a manager, shared verbally	40-70 bits	Yes - sayable
PIN	Device unlock codes, ATM PINs, numeric-only fields	13-20 bits	Yes - short
Pattern	Company IT policies with specific format rules	Varies	Depends
API / Secret	Developer tokens, webhook secrets, JWT signing keys	128-256 bits	No - paste it

The passphrase debate. NIST's 2024 password guidelines (SP 800-63B) no longer recommend mandatory special character requirements. Instead, they recommend length and checking against known-breached password lists. A 5-word diceware passphrase now meets NIST guidance for most high-assurance accounts - and is far easier to remember than P@ssw0rd123!.

What attackers actually do

Real password attacks don't try every combination starting with "aaaa". Attackers use credential stuffing (reusing leaked passwords), dictionary attacks (known words and common substitutions), and rule-based attacks (systematic mutations like adding numbers at the end). The patterns people think make passwords clever - like replacing E with 3, or adding 123 - are the first things attackers try.

The three crack-time estimates in this tool model three different attack scenarios: throttled online attacks (where a login form blocks after 10 tries), offline attacks where the hash has been leaked and an attacker can try billions per second on a single machine, and GPU cluster attacks representing nation-state or well-resourced criminal capabilities at 100 billion guesses per second.

Should I use a password manager?

Yes, without qualification. Bitwarden is free and open-source. 1Password and NordPass are premium options. The practical security benefit of using unique passwords everywhere, enabled only by a manager, far outweighs any theoretical risk of keeping passwords in a vault. 81% of data breaches involve reused or weak passwords - using a manager addresses that directly.

FAQ

Password questions,
answered honestly.

Ask a question

How long should a password be?

Security experts recommend at least 14-16 characters for important accounts. Length is the single most powerful factor - each extra character multiplies the possible combinations exponentially. A 20-character password is vastly harder to crack than a 12-character one, even without special characters.

Is this password generator safe to use?

Yes. All generation happens in your browser using crypto.getRandomValues() - the same cryptographic API used by password managers and security software. No passwords are sent to our servers, logged, or stored. You can disconnect from the internet and the tool still works.

What is a passphrase and is it as secure as a random password?

A passphrase is a sequence of random words (e.g. correct-horse-battery-staple). A 4-word passphrase from a large wordlist gives about 51 bits of entropy - roughly equivalent to a 10-character random password. With 5-6 words it becomes very strong while remaining memorable. NIST recommends passphrases for accounts you must memorise.

What does entropy mean in the strength meter?

Entropy measures unpredictability in bits. Each bit doubles the possible combinations. 60 bits = 2^60 combinations. Above 80 bits is considered very strong; 128+ bits is effectively unbreakable with any realistic technology today. The meter shows raw entropy based on character set size and length.

Should I use a password manager?

Absolutely yes. A password manager is the only practical way to use a unique, strong password for every account. Without one, people inevitably reuse passwords. Reuse is the single biggest cause of account takeovers. Bitwarden is free and open-source. 1Password and NordPass are excellent paid options.

What is the pronounceable mode and when should I use it?

Pronounceable mode builds passwords from consonant-vowel syllable patterns, making them sayable aloud (e.g. Baletimof42!). Use it when you need to memorise a password without a manager, or when you need to share a password verbally with someone. It is less secure than a fully random password of the same length, so compensate with extra length.

Password Generator - 6 Modes, Strength Meter & Crack Time Estimate

Most generators give you a random string.This one explains why it's strong or weak.

Real entropy calculation

3-scenario crack time

6 generation modes

Site-specific presets

Bulk generator

crypto.getRandomValues()

Create a strong password in 3 steps

Choose a mode and preset

Check the strength score

Copy and save in a manager

Why password length matters more than complexity

When to use each generation mode

What attackers actually do

Should I use a password manager?

Related free tools

Password Strength Checker

Hash Generator

UUID Generator

Base64 Encoder

Password questions,answered honestly.

Most generators give you a random string.
This one explains why it's strong or weak.

Password questions,
answered honestly.