Strong Random Password Generator
The tool below creates a strong random password instantly, using your browser's cryptographic random number generator — the password is generated on your device and never sent to any server, including ours. Set the length, choose the character types, copy the result, and store it in a password manager.
~128 bits of entropy · offline crack time: over 10^18 years
Every password includes at least one character from each enabled type and is drawn from a pool of 85 characters using your browser's cryptographic random number generator.
What Makes a Password Strong: Entropy, Explained Simply
Password strength comes down to one number: how many guesses an attacker would need, on average, to stumble onto it. Security people measure that in bits of entropy, and the math behind it is friendlier than it sounds. If a password is built from a pool of possible characters, the number of possible passwords is pool size × pool size × pool size… — once per character. A 12-character password drawn from an 85-character pool has 8512 possibilities. Take the base-2 logarithm of that number and you get the entropy in bits; each extra bit doubles the number of guesses required.
That's the formula the strength meter above uses: entropy = length × log₂(pool size). It also explains the single most useful rule of password design: length beats complexity. Adding one character to your password multiplies the search space by the full pool size (85× with all character types enabled); swapping an "a" for an "@" in an existing password barely moves the needle, because cracking tools try those substitutions automatically.
Here is what those bits mean in practice, assuming a serious offline attacker guessing one trillion passwords per second against a stolen password database (the average crack time is half the total search space):
| Password recipe | Pool size | Entropy | Avg. time to crack |
|---|---|---|---|
| 8 chars, lowercase only | 26 | ~38 bits | Under a second |
| 10 chars, lowercase + digits | 36 | ~52 bits | About half an hour |
| 12 chars, all four types | 85 | ~77 bits | ~2,000 years |
| 16 chars, all four types | 85 | ~103 bits | ~100 billion years |
| 20 chars, all four types (default) | 85 | ~128 bits | Billions of times the age of the universe |
Two things jump out. First, the cliff between 8 and 12 characters is enormous — the difference between "cracked before you finish reading this sentence" and "outlives every civilization". Second, past roughly 100 bits the numbers stop mattering: nobody brute-forces a 20-character random password, ever. That's why this generator defaults to 20 — comfortably beyond the practical cracking horizon while still fitting almost every site's length limit.
One crucial caveat: this math only holds for random passwords. A 20-character password like MyDogRexLovesTennis1! has far less real entropy than its length suggests, because cracking tools work through dictionaries, names, dates, and common patterns before they ever try random combinations. Human brains are pattern machines; patterns are exactly what attackers enumerate first. To see how an existing password holds up, run it through our password strength checker.
Random Strings vs Passphrases: Which Should You Use?
Random character strings aren't the only way to get high entropy. A passphrase — several words picked at random from a large word list, like crater-velvet-mango-drizzle-plank — gets its strength from the same math. The classic Diceware method uses a 7,776-word list, so every word you add contributes about 12.9 bits:
| Passphrase length | Entropy | Roughly equivalent to |
|---|---|---|
| 4 random words | ~52 bits | 8 random mixed characters |
| 5 random words | ~65 bits | 10 random mixed characters |
| 6 random words | ~78 bits | 12 random mixed characters |
So which should you use? The honest answer: both, for different jobs. A random 20-character string is stronger per character and perfect for the hundreds of passwords you never type — the ones your password manager fills for you. A 5–6 word passphrase is far easier to memorize and type accurately, which makes it the right choice for the handful of secrets that must live in your head: your password manager's master password, your computer login, and your phone's backup passcode. The one rule both share: the words or characters must be chosen randomly. A lyric, a quote, or a sentence you thought up is a pattern, and patterns get cracked.
Why Password Reuse Is the Real Killer
Here is the uncomfortable truth the strength meter can't show: most accounts don't get broken into because the password was weak. They get broken into because the password was reused. When any site you've ever registered on gets breached — and thousands do every year — your email and password combination ends up in criminal databases. Attackers then run credential stuffing: automated tools that replay those leaked combinations against banks, email providers, streaming services, and shops, at millions of attempts per hour. If you reused the password, the strength of it is irrelevant — the attacker isn't guessing, they're logging in.
This is why "one strong password I use everywhere" is the single most dangerous password strategy. A 128-bit masterpiece reused on fifty sites is exactly as secure as the sloppiest of those fifty sites. The moment one of them leaks, all fifty fall together — and breach data circulates for years, so the account you created in 2019 and forgot about is still a live key to everything else.
The defense is mechanical, not clever: a unique random password for every account, so a breach at one site is contained to that site. That's the real purpose of this generator — not to create one heroic password, but to make it effortless to create a different one every single time. To find out whether a password you currently use has already appeared in a known breach, check it with our password leak checker — it uses k-anonymity, so the full password never leaves your browser there either. Some of the VPN suites in our best VPN rankings now bundle ongoing breach monitoring too — see our NordVPN review and Surfshark review for how their alert features work.
Use a Password Manager — Any Reputable One
Unique 20-character passwords for every account only work if you never have to remember them, and that's what a password manager is for. It stores every credential in an encrypted vault, fills logins automatically, and — critically — generates a fresh random password each time you sign up somewhere, so reuse never happens in the first place. We deliberately don't recommend a specific product here: the category is mature, and any established, audited manager will serve you far better than the alternative (your memory, a notes app, or a browser profile synced with a weak account password).
What actually matters when you pick one:
- Zero-knowledge encryption — the vault is encrypted on your device (typically with AES-256 or a comparable cipher) before it syncs anywhere, so even the vendor can't read your passwords.
- Independent security audits — published, recent, and by named firms, not just a "bank-grade security" badge.
- Cross-device autofill — if filling a login on your phone is annoying, you'll fall back to reused passwords within a week.
- Breach alerts — the manager warns you when a stored credential shows up in a known leak, turning a months-late discovery into a same-day password rotation.
- An export path — you should be able to leave with your data at any time.
Then protect the vault itself with a long random passphrase (see above) and two-factor authentication. That single memorized secret plus this generator covers every other password you'll ever need.
How This Generator Works — and Why Nothing Leaves Your Browser
A password generator is only trustworthy if you can reason about where the randomness comes from and where the password goes. Here is exactly what happens when you click Generate:
Cryptographic randomness. The characters are drawn using crypto.getRandomValues(), the browser's built-in cryptographically secure random number generator — the same source browsers use for TLS session keys. This matters because ordinary Math.random() is designed for animations and games, not secrets: its output is predictable enough that an attacker who sees part of a sequence can reconstruct the rest.
No modulo bias. A common flaw in homemade generators is mapping a random 32-bit number onto a character pool with the remainder operator (value % 85). Because 2³² isn't a multiple of 85, that shortcut makes some characters slightly more likely than others — a small, silent skew that reduces real entropy. This tool uses rejection sampling instead: random values that would fall into the biased remainder range are thrown away and redrawn, so every character in the pool is exactly equally likely.
Guaranteed coverage, then a shuffle. Many sites require at least one uppercase letter, digit, or symbol, so the generator first draws one character from each enabled type, fills the rest of the length from the combined pool, and then shuffles the whole password with a Fisher–Yates pass driven by the same CSPRNG — so the guaranteed characters don't sit in predictable positions.
Local-only, verifiably. All of this runs as JavaScript on your device. The password is never transmitted, logged, or stored — there is no server call to send it to. You don't have to take our word for it: open your browser's developer tools, watch the network tab, and click Generate as many times as you like. No request fires. (The same design philosophy is behind our privacy-first approach across the site — see our guide to VPNs and privacy for the bigger picture.)
How to Read the Strength Meter
The meter above rates the settings, not the specific password: entropy depends only on the length and the size of the character pool, so every password generated with the same options is equally strong. The tiers map to realistic attacker capabilities:
| Rating | Entropy | What it means |
|---|---|---|
| Weak | Under 45 bits | Crackable offline in hours or less — don't use it |
| Fair | 45–64 bits | Fine against online guessing; risky against offline attacks |
| Strong | 65–99 bits | Beyond realistic cracking for years, even offline |
| Excellent | 100+ bits | Effectively uncrackable by brute force |
The crack-time estimate assumes an offline attacker with stolen password hashes guessing a trillion times per second — a deliberately pessimistic scenario. Against a live login form, where sites throttle attempts and lock accounts, even a Fair password survives; we rate against the worst case because you never know how a site stores its passwords until it's breached.
Password Generator Questions, Answered
Is it safe to generate a password in a browser?
Yes, when the generator runs locally — as this one does. The password is created on your device with the browser's cryptographic random number generator and never transmitted anywhere. The thing to avoid is any generator that creates passwords on a server and sends them to you: you have no way to know whether they were logged in transit.
What length should I actually pick?
For anything stored in a password manager, 20 characters (the default) is a set-and-forget choice at well over 100 bits. If a site enforces a shorter maximum, go as long as it allows — even 16 random characters is far beyond practical cracking. Going past 20 adds mathematical margin you'll never need, but it costs nothing if the site accepts it.
Do I really need symbols?
Not if the password is long enough. Symbols grow the pool from 62 to 85 characters, which adds about half a bit per character — nice, but two extra characters of length add more. Symbols matter most when a site caps length at something short, or when its policy simply requires one. If a site rejects certain symbols, disable that type and add a couple of characters of length instead; you lose nothing.
When should I turn on "avoid ambiguous characters"?
Whenever a human — you or someone you're helping — will read the password off a screen or paper and retype it: Wi-Fi keys for guests, a streaming login typed with a TV remote, a password dictated over the phone. Dropping lookalikes such as I l 1 O 0 shrinks the pool slightly (the meter reflects this), so leave it off for passwords your manager autofills.
Doesn't guaranteeing one character of each type make passwords weaker?
Technically yes, by a sliver: ruling out the few passwords that happen to miss a whole character class removes a tiny fraction of the search space — well under one bit at typical lengths. In exchange, the password passes every site's "must contain a number and a symbol" rule on the first try. At 20 random characters the trade-off is invisible in practice.
How often should I change my passwords?
Modern guidance (including NIST's) says: don't rotate on a schedule — forced changes push people toward weak, incremented patterns. Change a password when there's a reason: the site was breached, the password appears in our leak checker, you shared it with someone, or it's old enough to predate your unique-password habit.
Does a VPN protect my passwords?
A VPN protects passwords in transit: it wraps your connection in an encrypted tunnel, so nobody on the same network — a hotel, café, or airport Wi-Fi operator — can snoop on your traffic or run a man-in-the-middle attack while you log in. It does nothing about weak or reused passwords themselves. The two solve different problems, which is why we treat unique passwords and a tested VPN from our best VPN rankings as the baseline pair for online privacy.
A Strong Password Is Only Half the Job
Unique passwords protect your accounts; a VPN protects the connection you type them over — on hotel Wi-Fi, airports, and every untrusted network. See the VPNs we actually tested and ranked.
See Our Top-Rated VPNs8 VPNs benchmarked on real hardware — see how we test.
More Free Tools
Every tool on vpnrank.io is free, runs instantly, and never requires an account.
What Is My IP
See the IP address websites see
WebRTC Leak Test
Check if your browser leaks your real IP
Is My VPN Working?
One-click check that your VPN actually protects you
VPN Kill Switch Test
Verify your kill switch blocks traffic on drop
IP Address Lookup
Look up any IP's location, ISP, and hostname
Password Strength Checker
Test how fast a password would crack
Password Leak Checker
Check if a password appears in known breaches