What makes a password strong?

A strong password is long (12+ characters), random (not based on personal info), and unique (never reused). It should combine uppercase, lowercase, digits, and symbols. According to NIST SP 800-63B, length is the most important security factor.

What password length is recommended?

At least 12 characters for online accounts, 16+ for sensitive accounts (email, banking). For passphrases, 4+ words provide excellent security. NIST recommends a minimum of 8 characters, but 12+ is the practical standard in 2025.

What is the difference between a random password and a passphrase?

A random password uses individual characters (e.g., k7#Qm9!xR2pL). A passphrase combines random words (e.g., Correct-Horse-Battery). Passphrases are easier to remember while maintaining high entropy.

Is my password stored on your servers?

No. The password is generated server-side using a CSPRNG (Go's crypto/rand) and returned over HTTPS. It is never stored, logged, or kept in memory after the response is sent.

What is password entropy?

Entropy measures the unpredictability of a password in bits. Each bit doubles the number of possible combinations. A 60-bit password has over one quintillion combinations. The higher the entropy, the more resistant the password is to brute-force attacks.

How often should I change my passwords?

NIST SP 800-63B (2024) recommendations advise against periodic changes. Only change a password if it has been compromised or the service reports a breach. Use unique passwords per service and enable 2FA.

Are the generated passwords truly random?

Yes. We use Go's crypto/rand package, a CSPRNG (Cryptographically Secure Pseudo-Random Number Generator) fed by operating system entropy sources (urandom on Linux, CryptGenRandom on Windows).

Are passphrases as secure as random passwords?

Yes, with enough words. A 4-word passphrase from a 7,776-word list (Diceware-type) has about 52 bits of entropy. With added digits, it rises to about 69 bits. Both approaches are robust for most use cases.

A CSPRNG (Cryptographically Secure Pseudo-Random Number Generator) is a random number generator whose output is unpredictable, even for an attacker who knows the previous values. It is the standard for generating passwords, cryptographic keys, and session tokens.

How should I store my passwords securely?

Use a password manager (1Password, Bitwarden, KeePass). It encrypts your passwords with a master password that only you know. Never store your passwords in a text file, an email, or on a sticky note.

Password generator: strong random passwords free online

Why use a password generator?

Weak or reused passwords remain the leading cause of online account compromises. According to the 2024 Verizon DBIR report, 80% of breaches involve stolen or guessed credentials. A password generator eliminates human bias and creates truly random credentials.

The problem with manually created passwords:

Humans are bad at generating randomness. We reuse the same patterns: first name + birth year, pet's name + "123", a dictionary word with a "!" at the end. These passwords fall in seconds to a dictionary attack.

What a generator solves:

True randomness: no patterns, dictionary words, or personal information
Calibrated strength: adjust length, character types, and entropy to your needs
Instant generation: create a new password in milliseconds
Consistency: same level of security for every password generated

How to use the generator in 3 steps

Step 1: choose the generation mode

Two modes are available:

Random: mixed individual characters (e.g., k7#Qm9!xR2pL$wN4). Maximum entropy per character. Ideal when a password manager stores the password for you.
Memorable: passphrases made of random words (e.g., Sloppily8-Rosy3-Unlocking8-Angelic4). Easier to remember and type, with high entropy thanks to the number of words.

Step 2: adjust parameters

In Random mode:

Length: 4 to 128 characters (recommended: 16+ for sensitive accounts)
Character types: uppercase, lowercase, digits, symbols
Exclusions: similar characters (0/O, 1/l/I), custom characters

In Memorable mode:

Word count: 3 to 10 (recommended: 4+ words)
Separator: hyphen, space, period, custom
Options: capitalization, adding digits between words

Step 3: copy and use

Click the copy button. The password is copied to your clipboard. Use it immediately in your password manager or in the service's sign-up form.

The strength indicator displays the entropy (in bits), security score, and estimated brute-force crack time in real time.

Random vs. Memorable: when to use each mode

Criterion	Random mode	Memorable mode
Entropy per character	~6.5 bits (95 ASCII chars)	~12.9 bits per word (7,776 Diceware words)
Example	`k7#Qm9!xR2pL$wN4`	`Sloppily8-Rosy3-Unlocking8`
Ease of memorization	Impossible without a manager	Possible with effort
Ease of typing	Difficult (symbols, mixed case)	Easy (common words)
Ideal use case	Accounts stored in a manager	Master password, PIN, shared access

When to choose Random:

Web accounts stored in 1Password, Bitwarden, or KeePass
API keys and service credentials
Any password you will never need to type manually

When to choose Memorable:

Your password manager's master password (the only one you memorize)
Unlock codes you type frequently (lock screen)
Shared passwords you need to communicate verbally

Understanding password entropy

Entropy measures unpredictability in bits. Each bit doubles the number of possible combinations. The formula is: entropy = log2(number_of_combinations).

Practical example:

An 8-character password from 26 lowercase letters: log2(26^8) = 37.6 bits
The same with uppercase + lowercase + digits (62 chars): log2(62^8) = 47.6 bits
With symbols added (95 chars): log2(95^8) = 52.6 bits
16 characters from 95 chars: log2(95^16) = 105.2 bits

Entropy	Strength	Time to crack (10^12 guesses/sec)
<28 bits	Very weak	Seconds
28-35 bits	Weak	Minutes to hours
36-59 bits	Fair	Days to years
60-127 bits	Strong	Thousands to billions of years
≥ 128 bits	Very strong	Beyond any foreseeable technology

The 10^12 guesses/second threshold corresponds to a brute-force attack using modern GPU hardware (graphics card cluster). For an online service with rate limiting, actual time would be considerably longer.

Password security best practices

NIST SP 800-63B recommendations (2024)

The National Institute of Standards and Technology (NIST) has updated its password recommendations. Major changes from older practices:

Old practice	Current NIST recommendation
Change passwords every 90 days	Only change if compromised
Require special characters	Prioritize length over complexity
Minimum 8 characters	Minimum 8, recommended 15+
Security questions	Prohibited (too predictable)
Password hints	Prohibited

The 5 essential rules

One unique password per service: if one service is compromised, the others remain protected
Length > complexity: correcthorsebatterystaple (25 chars, ~58 bits) is more secure and more memorable than P@$$w0rd (8 chars, ~30 bits)
Use a password manager: 1Password, Bitwarden, or KeePass to store hundreds of unique passwords
Enable 2FA everywhere: TOTP (Google Authenticator, Authy) or FIDO2 security key on all critical accounts
Check for breaches: visit Have I Been Pwned to find out if your credentials have been exposed in a data breach

Password examples and their strength

Type	Example	Entropy	Time to crack	Verdict
Common word	`password`	~0 bits	Instant (dictionary)	Catastrophic
First name + year	`Marie1990`	~20 bits	Seconds	Very weak
Random 8 chars	`k7#Qm9!x`	~52 bits	Days	Fair
Random 12 chars	`k7#Qm9!xR2pL`	~79 bits	Thousands of years	Strong
Random 16 chars	`k7#Qm9!xR2pL$wN4`	~105 bits	Billions of years	Very strong
4-word passphrase	`Correct-Horse-Battery-Staple`	~52 bits	Days to months	Fair
5-word passphrase + digits	`Sloppily8-Rosy3-Unlocking8-Angelic4-Brisk7`	~85 bits	Millions of years	Strong

The ideal compromise for most users: a 16+ character random password stored in a manager, with a 5+ word passphrase as the master password.

How does the generation work?

Cryptographic generation (CSPRNG)

Our generator uses Go's crypto/rand, a CSPRNG (Cryptographically Secure Pseudo-Random Number Generator) that relies on operating system entropy sources:

/dev/urandom on Linux
CryptGenRandom on Windows
SecRandomCopyBytes on macOS

Unlike standard pseudo-random generators (Math.random() in JavaScript, random in Python), a CSPRNG produces unpredictable output even for an attacker who knows the previous values.

Generation process

Character pool calculation: depending on the enabled options (uppercase, lowercase, digits, symbols), the pool contains between 10 and 95 characters
Random draw: for each position in the password, a random byte is drawn via the CSPRNG and converted to an index in the pool
Entropy calculation: log2(pool_size^length) gives the entropy in bits
Crack time estimation: based on 10^12 guesses/second (offline GPU attack)
Secure transmission: the password is returned over HTTPS and is never stored, logged, or cached

Complementary tools

Tool	Purpose
Case converter	Transform text case (UPPER, lower, Title, camelCase)
Base64 encoder/decoder	Encode sensitive data for transport
Text statistics	Analyze the length and composition of a text
Slug generator	Transform text into a URL-safe identifier

Useful resources

NIST SP 800-63B: Digital Identity Guidelines: official password recommendations
OWASP Password Storage Cheat Sheet: server-side storage best practices
Have I Been Pwned: check if your credentials are in a data breach
Diceware Passphrase: original passphrase generation method
Passkeys vs passwords: passkeys vs traditional passwords comparison

Password generator

Random passwords and passphrases, free and unlimited

Random passwords

Memorable passphrases

Real-time strength indicator

Secure cryptographic generation

Advanced customization