How long should my password be?

16 characters is the recommended minimum for most accounts. 12 characters is the absolute floor for anything important. For critical accounts — email, banking, primary password manager — aim for 20 or more characters.

Password Generator with Passphrase Mode & Entropy Bits

How the Password Generator Works

Passwords are generated entirely in your browser using crypto.getRandomValues() — the same cryptographic engine used for HTTPS. No data is sent to any server. Adjust length and character types with the options below; the strength bar rates the result based on entropy (length × character diversity).

Password Security Best Practices

Use at least 16 characters. Length is the single most important factor. A 16-character password takes orders of magnitude longer to brute-force than a 10-character one. Aim for 20+ on anything important.
Never reuse passwords across accounts. If one service is breached, attackers will try the same credentials everywhere else. Unique passwords contain the damage.
Use a password manager. You can't memorize 50 unique 20-character passwords — nobody can. Tools like Bitwarden (free, open-source), 1Password, and KeePass store and autofill securely.
Enable two-factor authentication (2FA) wherever possible. Even if someone gets your password, a second factor blocks access. Start with email, banking, and social accounts.

The Math of Password Entropy

Entropy measures how unpredictable a password is. Formally, it's the base-2 logarithm of the total number of possible passwords of that length and character set. If you draw from an alphabet of N symbols to build a password of length L, entropy is L × log₂(N) bits. More bits = exponentially harder to brute-force.

Concrete alphabet sizes: lowercase letters = 26, lowercase + uppercase = 52, alphanumeric = 62, alphanumeric + common symbols = 94. An 8-character alphanumeric password has about 48 bits of entropy — crackable in hours on a modern GPU cluster. A 16-character password from the full 94-symbol set reaches ~105 bits — computationally infeasible to brute-force in a human lifetime, even with state-level resources.

Rough time-to-crack estimates against an offline attacker with 1 trillion guesses per second (a well-funded adversary, ~2026):

8 chars, alphanumeric (48 bits) → hours
10 chars, full 94-set (65 bits) → ~12 days
12 chars, full 94-set (78 bits) → ~300 years
16 chars, full 94-set (105 bits) → longer than the age of the universe
20 chars, full 94-set (131 bits) → absurdly infeasible

Important caveat: these numbers assume the password is truly random, never reused, and attackers don't have it via breach or phishing. Real-world breaches almost always come from stolen hashes, credential stuffing, or phishing — not from brute force against a well-chosen password.

How Passwords Actually Get Compromised

Brute-forcing a good password is rarely how attackers get in. The actual attack patterns, ranked by prevalence:

Credential stuffing. An attacker takes usernames and passwords leaked from one breach and tries them on other services. Works because people reuse passwords. This is why unique passwords per site matter more than length in practical terms.
Phishing. You're tricked into typing your password on a fake login page. No password length protects against this — only 2FA, hardware keys, or passkeys do. If an email asks you to log in, always go to the site directly instead of clicking.
Dictionary and hybrid attacks. Tries common passwords and variations («Password123», «qwerty!2026», your favorite team + current year). Beats any password that looks «complex» but follows a pattern. Random generators defeat this entirely.
Breach and hash cracking. An attacker steals a database of hashed passwords and cracks them offline. Modern GPUs can try billions of hashes per second, especially against outdated hash functions (MD5, SHA-1, unsalted SHA-256). This is why length matters — it's the one thing that scales exponentially against hash cracking.
Keyloggers and malware. Malicious software captures keystrokes or clipboard contents. If your device is compromised, no password is safe. Keep OS and browser updated, and avoid sketchy downloads — your password manager won't save you from malware running as you.

Passphrases vs Passwords

A passphrase is several random words strung together — «correct-horse-battery-staple», made famous by xkcd 936. Four random words drawn from a 2,000-word dictionary gives ~44 bits of entropy; five words gives ~55; six words gives ~66. Memorable, but you need more words to match the entropy of a 16-character random password.

Diceware — rolling physical dice to pick words from a 7,776-word list — is the gold standard for generating passphrases you can trust were chosen at random (rather than by a computer you might not fully trust). Six Diceware words give ~77 bits of entropy: strong enough for anything short of state-level threats, and easier to type than a 13-character random string.

Practical rule: use a random 16+ character password stored in a password manager for sites where you don't need to type it often. Use a Diceware passphrase for your master password (the one you unlock the password manager with) and your device login — places where you need to type it daily and can't rely on autofill. Never use a passphrase that's a real sentence, song lyric, or quote — those appear in breach corpora and get tried first.

Beyond Passwords: 2FA, Passkeys, and What's Next

Even a perfect password can be phished or captured. Adding a second authentication factor — something beyond knowing the password — cuts most real attacks dead. The layers, from weakest to strongest:

SMS codes (2FA). Better than nothing, but vulnerable to SIM-swap attacks. Still, use it if it's the only option — it stops credential stuffing cold.
Authenticator apps (TOTP). Google Authenticator, Authy, 1Password, or the one built into your password manager. Generates a 6-digit code every 30 seconds based on a shared secret. Much harder to intercept than SMS.
Hardware security keys (FIDO2/WebAuthn). Physical USB or NFC devices — YubiKey, SoloKey, Titan. Cryptographically bound to the site's origin, so they can't be phished. The gold standard for high-value accounts.
Passkeys. A newer standard (Apple, Google, Microsoft all support it as of 2024+) replacing passwords entirely. Your device stores a cryptographic key pair; you authenticate with biometrics or a PIN. Phishing-resistant by design. Where offered, passkeys beat passwords on both security and convenience — expect them to slowly replace passwords over the next decade.

Priority order for real people: enable 2FA on email first (if someone controls your email, they can reset every other account), then banking, then your password manager, then social media. A hardware key or passkey for your email and password manager is the single highest-leverage security upgrade available today.

For the person who looked up 'how long to crack a password' and wanted real answers

The entropy bar shows your password's bit count and a plain-language time-to-crack estimate — not 'strong' or 'weak', but an actual order of magnitude against an offline attacker running a trillion guesses per second. Passphrase mode generates four words from a 200-word list, xkcd-style. Four words is easy to type. It's not the strongest option by bit count, but it's memorable for places where you have to type it daily and can't rely on autofill. You can also generate up to 10 passwords at once if you want to pick the one that feels least awkward to type.

The ambiguous characters toggle removes 0, O, 1, l, and I — the five characters that cause 80% of 'incorrect password' frustration when typing on a phone or copying by hand. It's off by default because removing characters reduces your character set slightly. Turn it on when you know the password will be typed manually, not pasted. No cloud. No account. Nothing leaves your browser.

Frequently Asked Questions

Are the generated passwords truly random?

Yes. The generator uses crypto.getRandomValues() — the same cryptographic random number generator your browser uses for HTTPS. This is fundamentally different from Math.random(), which is not cryptographically secure. The output is indistinguishable from true randomness for practical purposes.

Is it actually safe to generate passwords in a browser?

Yes — everything runs locally on your device. No password is ever sent to a server, logged, or stored anywhere outside your clipboard. You can even load this page, disconnect from the internet, and it'll keep working. The only real risk would be malware already running on your machine.

How long does my password actually need to be?

16 characters is the recommended minimum for most accounts. 12 is the absolute floor for anything that matters. For critical accounts — email, banking, your password manager — aim for 20+. The extra length costs you nothing (your password manager remembers it) and makes brute-force attacks computationally infeasible.

Is a passphrase better than a password?

They solve different problems. A random 16-character password is shorter and stronger per character, but hard to memorize — store it in a password manager. A Diceware passphrase of 5–6 random words is longer but memorable — use it where you have to type it daily (your device login, your password manager's master password). Both defeat brute force; the choice is about where you'll type it.

Do I still need strong passwords if I use 2FA?

Yes. 2FA is a second layer, not a replacement. If your password is weak and reused, attackers who get it via a breach will still trigger the 2FA prompt — which is where phishing and SIM-swap attacks come in. A strong unique password plus 2FA is meaningfully harder to attack than either alone. Hardware security keys and passkeys raise the bar further by being phishing-resistant.

Which password manager should I use?

Bitwarden (free, open-source, hosted or self-hosted) is the default recommendation for most people — solid apps, transparent security model. 1Password (paid) has a more polished experience and better family plans. KeePass (free, offline) is the pick for privacy purists willing to manage sync themselves. Avoid storing passwords in a browser alone — it's convenient but offers weaker multi-device sync, less mature security review, and no cross-browser portability.