How Long Should a Password Be?
The research-backed answer, and why password length matters more than complexity.
Read article →Password Generator
Create strong, random passwords in seconds. Fully client-side.
Strong
16
664
Character types
What is a secure password generator?
A secure password generator creates random, unpredictable passwords by combining characters from a pool you define. Unlike passwords you invent yourself — which tend to follow recognisable patterns — a randomly generated password has no structure for an attacker to exploit.
This generator uses the browser's built-in crypto.getRandomValues() API, which is
cryptographically secure. That means the output is truly random, not pseudorandom. It never sends
data to a server.
How to use this tool
Choose your desired password length using the slider — 16 characters is a good default for most accounts, and 20+ is better for high-value accounts like email or banking. Then toggle the character types you want to include. Hit Generate new to get a fresh password at any time.
The strength indicator uses a combination of length and character variety to give you a quick signal. A "Very strong" rating means the password would take an attacker an astronomically long time to crack by brute force.
What to do with your password
A strong password only protects you if it is stored safely. The best practice is to copy it directly into a password manager — tools like 1Password, Bitwarden, or Dashlane will store it securely and autofill it for you. Never store passwords in plain text files, emails, or notes apps.
For extra security on important accounts, pair a strong password with two-factor authentication (2FA). Even if your password were compromised, 2FA prevents an attacker from logging in without your second factor.
Frequently asked questions
- How long should a secure password be?
- Most security experts recommend a minimum of 12–16 characters. Longer is better — a 20-character password is exponentially harder to crack than a 12-character one. If remembering it matters, consider a passphrase (4–5 random words) instead.
- Is my password sent to your server?
- No. The password generator runs entirely in your browser using the Web Crypto API. Nothing you generate here is ever transmitted or stored anywhere.
- Should I use symbols in my password?
- Symbols increase entropy significantly, which makes brute-force attacks harder. However, some services restrict certain symbols. If a site rejects your password, try regenerating without symbols.
- What makes a password "strong"?
- Strength depends on length and character variety. A password is considered strong when it is at least 16 characters and uses a mix of uppercase, lowercase, numbers, and symbols — making it statistically infeasible to crack by guessing.
- Why use a password manager?
- Password managers let you use a unique, complex password for every account without memorising any of them. They also alert you to reused or breached passwords. If you generate a strong password here, a password manager is the safest place to store it.