One Password Per Account. No Exceptions.
The 2024 RockYou2024 compilation leaked nearly 10 billion passwords. If you’re reusing MyDog2019! across Gmail, your bank, and three SaaS tools, all it takes is one breach and an attacker has the keys to everything. Credential stuffing attacks automate this — bots try leaked email/password combos across thousands of sites simultaneously.
The fix is boring but effective: a unique random password for every single account, stored in a password manager. Not a password you composed. Not your dog’s name with numbers. A string like j7$kQ2m!vP9xL4@n that no human would ever think of and no dictionary attack would ever find.
This tool generates those passwords using crypto.getRandomValues() — the same cryptographic randomness source that TLS uses to establish secure connections. Everything stays in your browser.
The Entropy Math
A 16-character password using all 95 printable ASCII characters has about 105 bits of entropy. At 10 billion guesses per second (achievable with a GPU cluster against unsalted hashes), cracking it would take roughly 4 x 10^14 years. That’s about 30,000 times the age of the universe.
Cut it to 8 characters? Same character set, but only 52.5 bits of entropy. Cracking time drops to about 33 days. That’s the difference between “literally impossible” and “totally feasible for a motivated attacker.”
Here’s the formula: entropy = length x log2(character_set_size). More characters per position and more positions both increase entropy, but length has a bigger impact because it’s the exponent in the brute-force equation.
Practical Guidance
For accounts stored in a password manager: Set length to 20+ characters with all character types enabled. There’s no downside — you’re copy-pasting anyway. x$7kQ2m!vP9L4@nWj8#rT5yB3&cF6hZ is no harder to paste than password123.
For your password manager’s master password: Don’t use this tool. Use the Passphrase Generator instead. You need something you can type from memory, and copper-morning-garden-bridge-silent beats x7$kQ2m! in both memorability and entropy.
For sites with bad password policies: Some sites won’t accept certain symbols, or cap the length at 16 or 20 characters. Uncheck the problem character types and work within their limits. Even a 16-character alphanumeric password (62 characters per position) gives you about 95 bits of entropy.
For development and testing: Use bulk generation to create 10 or 20 passwords at once for test accounts, database seeding, or staging environments.
Stop Reusing. Start Generating.
Every time you sign up for a new service, generate a fresh password here, paste it into the signup form, and save it to your password manager. Ten seconds of effort now prevents months of cleanup if that service gets breached.
The Password Strength Meter evaluates any password (generated or existing) against brute-force estimates. The Random Token Generator is better suited for API keys and tokens where you don’t need human-readability. Everything runs in your browser — nothing gets logged, stored, or transmitted.