What is a passphrase and why use one?

A passphrase is several random words joined together. It is easier to remember than a random string while offering comparable security. Six words from a 1,296-word list gives 62 bits of entropy.

What does exclude ambiguous characters do?

It removes characters that look similar in some fonts — O/0, l/1, I/1 — preventing transcription errors when typing passwords by hand.

Password Generator — Strong Random Passwords & Passphrases

Q: Is this password generator safe to use?

Yes. All passwords are generated in your browser using crypto.getRandomValues(). Nothing is sent to any server. You can use it offline.

Q: What is entropy in bits?

Entropy measures unpredictability. Each bit doubles the number of guesses required. Formula: H = length × log2(pool size). 60+ bits is considered strong.

Why Your Passwords Probably Are Not Strong Enough

Most people underestimate how fast modern computers can guess passwords. A GPU cluster can attempt 10 billion guesses per second against a plaintext or weakly-hashed password database. An 8-character password using only letters and numbers offers about 41 bits of entropy — crackable in under two hours. Adding symbols and increasing length to 12 characters jumps to 79 bits — hundreds of years of cracking time. The difference between weak and strong is just a few more characters.

This password generator uses the browser's built-in cryptographic random number generator (crypto.getRandomValues) to produce passwords with genuine randomness — not the weaker Math.random() function used by many sites. A rejection-sampling algorithm eliminates modulo bias, so every character in the pool is equally likely to appear.

Passphrases — Strong Passwords You Can Actually Remember

A passphrase is a sequence of random words: "Coral-Tribe-Wafer-Snack-Pilot." It is longer than a typical password, making it very hard to crack, yet memorable because words are meaningful to humans. The passphrase generator uses the EFF Short Wordlist, a curated set of 1,296 common English words chosen for memorability and clarity.

Five words from this list yields 51.7 bits of entropy. Six words reach 62 bits — stronger than most 10-character random passwords. Add a number suffix and you exceed 68 bits. Eight words gives 82.7 bits, putting your passphrase in the Very Strong tier with billions of years of estimated crack time even for well-funded attackers.

Understanding the Strength Meter

The strength meter shows entropy in bits — a direct mathematical measure of randomness. More bits means exponentially more guesses required. The formula is simple: H = L × log₂(R), where L is the password length and R is the size of the character pool. A 16-character password using all four character classes has a pool of 94 characters: 16 × log₂(94) = 16 × 6.555 = 104.9 bits of entropy. That requires roughly 10²¹ guesses — billions of years at 10 billion guesses per second.

The meter assumes a brute-force attack. Real-world security also depends on your service's hashing algorithm: bcrypt and Argon2 slow attackers dramatically; MD5 does not. Always prefer services that store passwords with modern, slow hashing functions.

Character Classes and Pool Sizes Explained

Lowercase letters alone give a pool of 26. Add uppercase and you reach 52. Add digits for 62. Include symbols and the pool grows to 94 printable ASCII characters. Each additional character class significantly increases the entropy per character. The "exclude ambiguous" option removes O, 0, l, 1, and I — reducing the pool slightly but preventing transcription errors when you must type a password by hand.

The symbol set defaults to 22 common keyboard symbols safe for most password fields: ! @ # $ % ^ & * ( ) - _ = + [ ] { } ; : ? /. These are broadly accepted across websites and apps without causing parsing or escaping issues.

Frequently Asked Questions

Is this password generator safe to use?

Yes. Passwords are generated entirely within your browser using crypto.getRandomValues(), which is the same cryptographic API used by security software. Nothing is transmitted to any server. You can disconnect from the internet and the tool still works. The source code is readable directly in your browser's developer tools.

What is entropy in bits?

Entropy measures unpredictability. Each bit of entropy doubles the number of possible passwords an attacker must try. A password with 60 bits of entropy requires roughly 2⁵⁹ ≈ 576 quadrillion guesses on average. The formula is: entropy = password length × log₂(pool size). Higher is always better — aim for 60+ bits for general use, 80+ for high-value accounts.

Why should I use a passphrase instead of a random password?

Passphrases are easier to remember while remaining mathematically strong. A 6-word passphrase from a 1,296-word list has 62 bits of entropy — comparable to a 10-character random password with all character types — but is far more memorable because it forms a mental image you can visualize. They are ideal for master passwords that you must type without a password manager.

What does "exclude ambiguous characters" mean?

Some characters look similar in certain fonts: the letter O and the number 0, the letter l and the number 1, and the capital letter I. Excluding them prevents transcription errors when you need to type a generated password by hand — for example, into a device that has no clipboard access. The option removes 5 characters from the pool, reducing entropy by a small but calculable amount.

Why Your Passwords Probably Are Not Strong Enough

Passphrases — Strong Passwords You Can Actually Remember

Understanding the Strength Meter

Character Classes and Pool Sizes Explained

Frequently Asked Questions

Get free tool updates