Done
HomePassword ToolsPassword Generator

πŸ” Password Generator

Create strong, secure passwords & passphrases. Customizable, private, and instant. Nothing leaves your browser.

Password Generator
β€” 0 bits entropy
Length 20
Preset:
Custom Symbols (optional)
Generation Log
; IndexCraft Password Generator
; Cryptographically secure Β· 100% local
; ──────────────────────────────────────
; Configure options above, then click Generate
History
No passwords generated yet
Keyboard Shortcuts
Alt+G Generate new password
Alt+C Copy password
Alt+H Toggle show/hide
Alt+1 Password mode
Alt+2 Passphrase mode
Alt+3 PIN mode
Alt+4 Bulk mode
Password Tips
βœ… Use 16+ Characters
Longer passwords are exponentially harder to crack.
πŸ”€ Mix Character Types
Use uppercase, lowercase, digits & symbols together.
πŸ“ Try Passphrases
Random word combos are long, strong & easy to remember.
🚫 Never Reuse
Use a unique password for every account. Use a password manager.
Security
🎲 Crypto-Secure RNG
crypto.getRandomValues()
Uses the Web Crypto API for truly random generation. No data is sent to any server β€” everything runs 100% locally in your browser.

About Password Security

Entropy & Strength

Password entropy measures randomness in bits. A 20-character password with mixed characters has ~130 bits β€” practically uncrackable. Each bit doubles the number of guesses needed.

Passphrases

Passphrases use random dictionary words (e.g., "correct-horse-battery-staple"). They're longer, easier to remember, and very secure. A 5-word passphrase has ~65 bits of entropy.

Brute Force

Modern GPUs can test billions of password hashes per second. A short, simple password can be cracked in minutes. Length and complexity make brute force attacks infeasible.

Best Practices

Use a unique password for every account. Enable two-factor authentication. Use a password manager. Never share passwords. Change them if a breach occurs.

Password Entropy β€” The Only Number That Actually Matters
Rules like "must contain an uppercase, a number, and a symbol" are theatre. Entropy β€” measured in bits β€” is what determines how long a brute-force attack takes.
Character setCharacters availableBits per character20-char password entropyCrack time (1 trillion guesses/sec)
Lowercase only (a–z)264.7 bits94 bitsMillions of years
Mixed case (a–z, A–Z)525.7 bits114 bitsBeyond practical limits
Alphanumeric (a–z, A–Z, 0–9)625.95 bits119 bitsBeyond practical limits
Full printable ASCII956.57 bits131 bitsBeyond practical limits
4-word passphrase (from 7776-word list)7776 words12.9 bits/word51.6 bits (4 words)~36 years at this rate
6-word passphrase7776 words12.9 bits/word77.4 bitsBeyond practical limits

A "trillion guesses/second" benchmark reflects dedicated offline cracking hardware (multiple GPUs). Online attacks against rate-limited login forms are vastly slower. The numbers above assume the attacker knows your exact password character set and length.

What Password Advice Was Wrong, and What Replaced It
NIST revised its password guidance in SP 800-63B (2017) and again in 2024. Most "best practices" from corporate IT training are now officially outdated.
Mandatory complexity rules don't help much

Requiring uppercase + number + symbol produces passwords like P@ssw0rd1! β€” which cracks instantly because attackers know the pattern. NIST 800-63B (2017) explicitly recommends against mandatory complexity rules. Length matters more. A 16-character lowercase random string has more entropy than an 8-character "complex" one.

Mandatory rotation creates weaker passwords

Forced 90-day rotation leads to predictable patterns: Summer2024! becomes Fall2024!. Users who have to change passwords frequently choose passwords that are easy to increment. NIST now recommends against periodic rotation unless there's evidence of compromise.

Length is the strongest single factor

Going from 12 to 20 characters adds more security than adding symbols to a short password. A 20-character random lowercase string has ~94 bits of entropy. An 8-character password with every character class has about 52 bits. Use a password manager; let it generate 20+ character passwords for everything.

Passphrases are genuinely strong and memorable

Four random words from the EFF word list give you 51 bits of entropy and a string you can actually type. Six words gives 77 bits β€” stronger than most corporate password policies require, and actually writable on a sticky note if needed (which NIST no longer prohibits either).

Check passwords against breach databases

The HaveIBeenPwned API (and the k-anonymity model it uses) lets you check if a password has appeared in known data breaches without sending the full password to a third party. NIST explicitly recommends checking new passwords against breach corpuses. Don't accept a known-breached password even if it meets complexity rules.

Different sites need different passwords

Password reuse is the leading cause of account takeovers. Credential stuffing attacks automate trying breached username/password pairs across hundreds of sites. A password manager generating unique passwords per site eliminates this attack entirely. Even a weak unique password is better than a strong reused one.

Related Tools
Other free security and hashing tools on IndexCraft.
🔒SHA Hash Generator

SHA-1, SHA-256, SHA-512 with file support.

 🧬Hash Generator

MD5, SHA-1, SHA-256, SHA-384, SHA-512 side by side.

 🔑HMAC Generator

Sign messages with a secret key using HMAC.

 📝MD5 Generator

Fast MD5 checksums for files and strings.

 🔄Password Generator

Cryptographically random passwords and passphrases.

 📊Password Strength Checker

Entropy score, crack time, and HaveIBeenPwned check.

 🧵Bcrypt Explainer

Decode bcrypt hashes and understand cost factors.
Common Questions
For machine-stored passwords (in a password manager), random character strings are marginally stronger per character. For passwords you need to actually type or remember, passphrases win because their greater memorability means you don't write them on a sticky note or reuse them. A 6-word passphrase from the EFF list (77 bits) is more secure than most people's manually-chosen "complex" passwords, and practical for master password use. For everything else, use a password manager and generate random 20+ character strings.
This tool uses window.crypto.getRandomValues(), the browser's cryptographically secure pseudorandom number generator (CSPRNG). It draws from the operating system's entropy pool (hardware noise, interrupt timing, etc.) rather than a deterministic algorithm seeded from the clock. This makes the output unpredictable even if an attacker knows the exact time you generated the password. Do not use Math.random() for security-sensitive generation β€” it's a PRNG, not a CSPRNG.
If your password manager is generating the password and you never type it manually, yes β€” more character classes mean more bits per character. However, some sites have infuriating restrictions on which symbols are allowed, and typing symbols on a phone keyboard is miserable. The practical compromise: add symbols when the generator lets you define the set, and omit ambiguous characters (O/0, l/1/I) if you'll ever need to read it aloud or type it manually. For master passwords or anything you type regularly, a long passphrase beats a short symbol-heavy string every time.
Yes, provided the tool uses crypto.getRandomValues() (which this one does) and you're visiting over HTTPS. The generation happens locally β€” no passwords are sent to any server. The risks are the same as with any local tool: make sure you're on the correct site (not a phishing clone), and don't generate passwords on shared or compromised computers. Browser extensions or a local password manager application are marginally more secure for high-value credentials.