HomeUtilities › Password Generator

Password Generator

Generate one or many strong, random passwords entirely in your browser. Choose the length and character types, then see the entropy in bits and how long each password would take to crack at several realistic attack speeds. Nothing is sent anywhere or stored.

Entropy per password
Character pool size

Estimated time to crack (average, brute force)

What makes a password hard to guess

A password’s resistance to brute-force guessing comes down to two things: how many characters are possible at each position (the pool size) and how many positions there are (the length). Every extra character type you allow, and every extra character you add, multiplies the number of possible passwords — which is why length and variety matter far more than clever substitutions like “p@ssw0rd,” a pattern attackers already check first.

How it’s calculated

Entropy (bits) = length × log₂(pool size), where pool size is the sum of the checked character sets (26 lowercase + 26 uppercase + 10 digits + 32 symbols, minus any excluded ambiguous characters). Total possibilities = 2entropy. Average crack time assumes an attacker must search half the space on average: (2entropy ÷ 2) ÷ guesses-per-second, shown at several realistic attack speeds from a throttled login form to offline GPU hardware. Characters are drawn with crypto.getRandomValues, rejecting values that would bias the selection (rejection sampling) so every allowed character has an exactly equal chance.

Crack-time figures are theoretical averages assuming a pure brute-force attack with no known pattern; a leaked password reused elsewhere, or one derived from personal information, can be found far faster regardless of its entropy.

Worked example

A 16-character password using all four character types draws from an 89-character pool (26 lowercase + 26 uppercase + 10 digits + 27 symbols), giving 2103.6 possibilities — about 104 bits of entropy. At an offline attack speed of 10 billion guesses per second, the average time to find it is roughly 25 trillion years. Shrinking to 8 characters with the same pool drops entropy to about 52 bits, crackable offline in an average of roughly 2.3 days at that same speed — a dramatic difference from just 8 fewer characters.

Common mistakes

  • Reusing the same password across sites — a breach on one site then unlocks every other account using it, regardless of strength.
  • Choosing predictable substitutions (@ for a, 0 for o) — attackers’ dictionaries already include these patterns.
  • Picking a short password with symbols instead of a longer one without — length usually beats complexity for a fixed character count.
  • Assuming high entropy protects against phishing or reused, leaked credentials — entropy only defends against guessing, not disclosure.

Where it is used

  • Creating new account passwords, Wi-Fi keys, or API tokens.
  • Generating a batch of temporary passwords for onboarding or testing.
  • Checking whether a password policy’s minimum length is actually enough entropy.
  • Teaching or demonstrating how brute-force search scales with password length.

Frequently asked questions

Is this generator actually secure?

Yes. It uses your browser’s crypto.getRandomValues, a cryptographically secure random source seeded from operating-system entropy — the same class of generator used for encryption keys. Nothing is sent over the network: the password is built and shown entirely in your browser, and nothing is stored.

What does the entropy number mean?

Entropy in bits measures how many independent guesses it would take, on average, to find your exact password by brute force: 2^bits total possibilities. A 16-character password using all four character types has around 104 bits of entropy — far beyond what any realistic attack can exhaust.

Should I exclude ambiguous characters?

Excluding characters like I, l, 1, O, and 0 makes a password easier to type or read aloud correctly, which helps if you’re transcribing it by hand. It slightly narrows the character pool, so entropy per character drops a little — the entropy figure updates live so you can see the trade-off.

Why does the crack-time estimate vary so much?

Crack time depends entirely on how fast an attacker can test guesses. An online login form throttled to a few attempts per second is a very different threat than an offline attacker with GPU hardware testing billions of hashes per second. The table shows several realistic attacker speeds side by side so you can see the range.

Does the site store or see my generated passwords?

No. Generation happens entirely in your browser’s JavaScript using local randomness — nothing is transmitted, logged, or saved by NumberBench. Closing or refreshing the page discards it completely, so save it in a password manager if you plan to use it.