toolsy.one

Password & passphrase generator

Create strong, random passwords or memorable passphrases — generated entirely in your browser.

Click generate
Estimated strength:

How to create a password attackers can’t crack

The strength of a password has very little to do with whether it looks complicated and almost everything to do with how unpredictable it is. Security researchers measure that unpredictability in bits of entropy. Each additional bit doubles the number of guesses an attacker needs, so the difference between a 40-bit and a 60-bit password isn’t 50% stronger — it’s roughly a million times stronger.

This generator builds every result with crypto.getRandomValues(), the browser’s cryptographically secure random source, and it shows you the entropy in real time so you can see exactly how strong your choice is before you use it.

Random password

Short, dense strings of mixed characters. Perfect for accounts you save in a password manager and never have to type by hand.

Memorable passphrase

Several random words joined together. Inspired by the Diceware method — strong enough for a master password yet easy to type.

100% local

All randomness and assembly happen in your browser. Your generated secret is never transmitted, logged or stored anywhere.

A worked example

Say you pick a 16-character password using all four character sets (about 94 possible characters). That’s roughly 16 × log₂(94) ≈ 105 bits of entropy — far beyond what any current hardware can brute-force. A 5-word passphrase from a large word list lands around 60–65 bits, which is plenty for everyday accounts and much easier to type on a phone. The live meter above updates with your exact settings so you don’t have to do the maths.

Rules worth following

  • Never reuse a password. One breach then unlocks every account that shares it. A manager makes unique passwords effortless.
  • Length beats complexity. A long passphrase is stronger and more usable than a short string of random symbols.
  • Avoid anything personal. Names, birthdays, pet names and keyboard walks like qwerty are the first things cracking tools try.
  • Turn on two-factor authentication. It protects you even if a password is phished or leaked.
Privacy note: this tool runs with no server and no analytics on your input. The password you see was created on your device and exists only in this browser tab until you copy or close it.

Frequently asked questions

Are the passwords generated here safe to use?

Yes. Every password and passphrase is generated locally in your browser using the Web Cryptography API (crypto.getRandomValues), which is a cryptographically secure random number generator. Nothing is sent over the network, logged, or stored — close the tab and the result is gone.

What is the difference between a password and a passphrase?

A random password mixes letters, numbers and symbols into a short, high-density string that is ideal for password managers. A passphrase strings several random words together; it reaches similar strength while being far easier to read and type by hand.

How long should my password be?

For accounts you store in a password manager, 16–24 random characters is a strong, practical choice. For a master password or anything you must type from memory, a 5–6 word passphrase is easier and just as strong.

What does the strength estimate mean?

It shows the entropy in bits — a measure of how many guesses an attacker would need on average. Each extra bit doubles the work. Below ~50 bits is weak, 60–80 bits is good for most accounts, and 100+ bits is excellent for high-value secrets.

Should I still use two-factor authentication?

Always, where it is offered. Even a perfect password can be phished or leaked in a breach. A second factor (an authenticator app or hardware key) means a stolen password alone is not enough to take over your account.

Related tools

JSON formatter

Format, validate and beautify JSON, with error messages.

Base64 encoder

Encode and decode Base64 text and URL-safe variants.

UUID generator

Generate bulk RFC 4122 v4 UUIDs using secure randomness.