Strong password generator
Pick a length, hit Generate. Strength score, crack-time and breach check, all in your browser.
Strength: —
Estimated crack time: —
Breach check: —
Recent passwords (last 5, this device only)
localStorage, never synced.What this password generator does
This tool builds passwords that are genuinely hard to guess — long, random, and free of the patterns people fall back on when they make passwords up by hand. It can produce three things: a fully random string (the strongest option, ideal for storing in a password manager), a memorable passphrase made of several random words (easier to read off a screen when you actually have to type it), or a numeric PIN. Every character comes from your browser's cryptographic random number generator (crypto.getRandomValues), not the predictable Math.random() that weaker generators still rely on.
How to use it
- Choose a mode — Random for maximum strength, Memorable for something you may need to type, or PIN for numeric codes.
- Set the length. For a random password, 16 characters is a sensible floor and 20+ is better; for a passphrase, four words or more.
- Press Generate, then Copy. The strength bar shows the estimated entropy in bits and a rough offline crack-time.
- Read the breach result. If a password has ever appeared in a known data breach, it will say so — generate another instead.
Why randomness matters more than complexity
The problem with human-chosen passwords isn't that they're short — it's that they're predictable. We put a capital letter at the front, a number and a symbol at the end, and a word that means something to us in the middle. Cracking tools try exactly those patterns first, so "complex-looking" passwords often fall fast. A truly random 16-character password has no pattern to exploit; the only way through is to try an impractical number of combinations. That's what the strength estimate on this page measures: how much guessing your password would actually force an attacker to do.
Use random passwords for anything that matters — email, banking, your password manager's master entry — and let the manager remember them for you. Save memorable passphrases for the few you have to type from memory or read aloud.
I've spent about 20 years in IT support, and at the busiest sites I was helping 400+ users a day from all over the world. If you want to know what weak passwords look like in real life: I've reset thousands of them, and they rhyme. It's the company name plus 123!, the season plus the year, a kid's name plus a birthday. The damage almost never comes from someone cracking one strong password — it comes from reuse. One website gets breached, the email-and-password pair leaks, and attackers quietly try that same pair on dozens of other services. That's why the breach check here matters more than people expect, and why "just make it longer" misses the point. The fix that actually held up across every team I supported was boring: a long random password, a different one everywhere, stored in a manager. This tool is the first half of that habit.
Is this private?
Yes. Passwords are generated entirely in your browser and are never sent anywhere. The only network request this page can make is the optional breach check, and it's built so your password never leaves your device: the password is hashed locally with SHA-1 and only the first five characters of that hash are sent to the Have I Been Pwned range API — a technique called k-anonymity. The service returns a list of matching hash suffixes and the final comparison happens here, in your tab. Your recent passwords, if you keep history on, stay in this browser's localStorage and are never synced.
Frequently asked questions
How long should my password be?
For a random password, aim for at least 16 characters; 20 or more for important accounts. Length adds far more real strength than swapping an "o" for a "0". For a word-based passphrase, use four words or more.
Are these passwords really random?
They're generated with the browser's cryptographic random source (crypto.getRandomValues), which is designed to be unpredictable. The tool also guarantees at least one character from each set you enable, so a generated password always matches the rules you picked.
Is it safe to check my password against a breach database?
Yes. Your password is hashed in your browser and only the first five characters of the hash are sent — never the password, and never the full hash. This k-anonymity model means the breach service can't reconstruct what you checked.
Should I use a random password or a passphrase?
Use a random password for anything stored in a password manager — it's the strongest and you don't have to type it. Use a memorable passphrase for the handful of passwords you must type by hand, like your device login or the manager's master password.