ByteCompress

Password Generator

Create cryptographically random, strong passwords of any length using the Web Crypto API. Customize character sets and length, view entropy score, and copy with one click.

66
FreeClient-sideNo signup

Weak or reused passwords are responsible for 80% of data breaches involving hacking, according to the Verizon 2023 Data Breach Investigations Report. A 16-character password combining uppercase, lowercase, numbers, and symbols has over 1028 possible combinations β€” requiring billions of years to brute-force with current hardware. This generator uses the browser's crypto.getRandomValues() API, the same CSPRNG used by operating systems and security libraries. NIST Special Publication 800-63B recommends a minimum of 8 characters; security professionals widely recommend 16 or more. Generated passwords are never transmitted to any server.

How to Generate Passwords

  1. Set the desired password length using the slider or input field (8-128 characters).
  2. Select character types to include: uppercase, lowercase, digits, and/or symbols.
  3. Click Generate to create a new password.
  4. Review the entropy score and strength indicator.
  5. Click Copy to copy the password to your clipboard.
  6. Store the generated password in a password manager immediately.

Password Strength Explained

Entropy and Character Set Size

Password strength is measured in bits of entropy β€” the logarithm (base 2) of total possible combinations. A password of length L using a character set of size N has entropy of L Γ— logβ‚‚(N) bits. Character set sizes: lowercase only = 26; + uppercase = 52; + digits = 62; + 32 common symbols = 94. A 16-character password from the full 94-character set has ~104.7 bits of entropy. NIST considers 112-bit entropy sufficient for most security applications through 2030.

Why Length Matters More Than Complexity

Adding one character multiplies the search space by the character set size. A 20-character lowercase-only password (~94 bits entropy) is stronger against brute-force than a 10-character password with all character types (~65 bits). Both NIST SP 800-63B and security researchers recommend prioritizing length over mandatory complexity rules, which often produce predictable patterns β€” capital first, number last, ! at the end.

Example

Generated Password (16 chars, all character types)

kR9#mXv2@TqL5!nW
Length:      16 characters
Entropy:     ~104.7 bits
Charset:     94 (a-z, A-Z, 0-9, symbols)
Crack time:  billions of years on current hardware

NIST SP 800-63B Guidelines

  • Minimum length: 8 characters for user-chosen passwords; allow up to 64 characters
  • No mandatory complexity rules: NIST's 2017 revision removed requirements for uppercase, numbers, and symbols β€” these rules produce weak, predictable patterns
  • No periodic forced changes: Forced rotation is no longer recommended unless there is evidence of compromise
  • Check against breached passwords: Passwords should be verified against databases like HaveIBeenPwned's Pwned Passwords list
  • Passphrases are valid: Long passphrases of random words are explicitly encouraged as an alternative

Best Practices

  • Use a password manager (1Password, Bitwarden, KeePass) β€” do not memorize random passwords
  • Generate a unique password for every account β€” reuse means one breach exposes all accounts
  • For a password manager's master password, use a 5+ word passphrase instead of a random character string
  • Enable two-factor authentication on all critical accounts alongside a strong password

For generating cryptographically random identifiers (not passwords), use the UUID Generator. For encoding passwords in configuration files or HTTP headers, the Base64 Encoder handles binary-safe transport.

Frequently Asked Questions

Are generated passwords stored or logged anywhere?

No. Passwords are generated using crypto.getRandomValues() entirely in your browser. They are never sent to any server, never logged, and disappear when you close or refresh the page. Open the browser's Network tab while generating and you will see zero outbound requests.

How long should my password be?

NIST SP 800-63B sets a minimum of 8 characters. Security professionals recommend at least 16 characters for most accounts, and 20 or more for high-value accounts (email, banking, password manager master). With a 94-character set, a 16-character password has ~105 bits of entropy β€” infeasible to brute-force with current or near-future hardware.

Should I include symbols in my password?

Yes, when the service allows it. Including symbols increases the character set from 62 to 94 characters, adding approximately 0.66 bits of entropy per character. Over 16 characters, that is about 10.5 extra bits. The bigger benefit still comes from length: a 20-character letters-and-digits password is stronger than a 12-character password with all symbols.

What is the difference between a random password and a passphrase?

A random password is a string of random characters optimized for maximum entropy in minimum length. A passphrase is a sequence of random words (e.g., correct-horse-battery-staple) that trades length for memorability. A 5-word diceware passphrase (7,776-word wordlist) has ~65 bits of entropy. For password manager entries, use random character passwords. For the master password, use a passphrase you can memorize.

Can I use this generator for Wi-Fi passwords or API tokens?

For Wi-Fi (WPA2/WPA3), a random 20-character password with all character types is excellent β€” just save it before you need to enter it on devices. For SSH keys and API tokens, use dedicated generation commands (ssh-keygen, your API provider's token creation flow) rather than manual password generation.