Password Generator

What Is a Password Generator and Strength Checker?

A password generator creates random, high-entropy passwords that resist guessing and brute-force attacks, while a strength checker evaluates existing passwords against security criteria. Together, these tools protect your digital accounts from the 81% of data breaches caused by weak or stolen passwords, according to Verizon's 2023 Data Breach Investigations Report.

Modern password security requires more than "Password123!" — attackers use dictionaries containing 500+ million leaked passwords, GPU clusters testing 100+ billion combinations per second, and AI models trained on human password patterns. A strong generated password uses 16+ characters from 95 possible ASCII symbols, creating 95¹⁶ (approximately 4.4 × 10³¹) possible combinations. At 100 billion guesses per second, cracking such a password takes an average of 7 million years.

The generator uses cryptographically secure random number generators (CSPRNG) — not standard random functions — to ensure unpredictability. Standard random functions like JavaScript's Math.random() produce predictable sequences from seed values. CSPRNGs draw entropy from operating system sources (hardware noise, interrupt timing, mouse movements) making each generated password truly random. The strength checker then validates passwords against criteria: minimum length, character variety, absence of common patterns, and non-appearance in breach databases.

Password Generation and Strength Formula Explained

Password Entropy Formula (Shannon Entropy):

Entropy (bits) = log₂(R^L) = L × log₂(R)

Where:

• R = Size of character repertoire (number of possible symbols)
• L = Password length (number of characters)
• Entropy = Measure of unpredictability in bits

Character repertoire sizes:

• Lowercase letters (a-z): R = 26
• Uppercase + lowercase (A-Za-z): R = 52
• Alphanumeric (A-Za-z0-9): R = 62
• Alphanumeric + symbols (95 printable ASCII): R = 95

Entropy thresholds for strength ratings:

• Weak: < 40 bits (crackable in hours)
• Fair: 40-60 bits (crackable in months with GPU clusters)
• Good: 60-80 bits (crackable in years)
• Strong: 80-100 bits (crackable in centuries)
• Very Strong: > 100 bits (computationally infeasible)

Worked Example 1 — 12-character alphanumeric password:

Step 1: Character repertoire = 62 (A-Za-z0-9)

Step 2: Password length = 12 characters

Step 3: Calculate entropy: 12 × log₂(62) = 12 × 5.95 = 71.4 bits

Step 4: Rate strength: 71.4 bits = Good (60-80 bit range)

Strength: Good — suitable for most accounts

Worked Example 2 — 16-character full ASCII password:

Step 1: Character repertoire = 95 (all printable ASCII)

Step 2: Password length = 16 characters

Step 3: Calculate entropy: 16 × log₂(95) = 16 × 6.57 = 105.1 bits

Step 4: Rate strength: 105.1 bits = Very Strong (>100 bits)

Strength: Very Strong — suitable for high-security accounts

Worked Example 3 — 8-character lowercase only (weak):

Step 1: Character repertoire = 26 (a-z only)

Step 2: Password length = 8 characters

Step 3: Calculate entropy: 8 × log₂(26) = 8 × 4.70 = 37.6 bits

Step 4: Rate strength: 37.6 bits = Weak (<40 bits)

Strength: Weak — crackable in hours, never use

Time to crack calculations:

Time = (R^L) / (2 × Guesses per second)

The division by 2 accounts for average case (attacker finds password halfway through searching the keyspace).

For 12-character alphanumeric at 100 billion guesses/second:

Time = 62¹² / (2 × 10¹¹) = 3.2 × 10²¹ / 2 × 10¹¹ = 1.6 × 10¹⁰ seconds = 507 years

6 Steps to Generate and Check Password Strength

1. Determine required password length: Choose minimum 12 characters for standard accounts, 16+ for financial/enterprise systems. NIST Special Publication 800-63B recommends 8 characters minimum but 12+ provides better security margins. Longer passwords exponentially increase cracking time — each additional character multiplies the search space by the repertoire size (62× for alphanumeric).
2. Select character types to include: Enable lowercase (a-z), uppercase (A-Z), numbers (0-9), and symbols (!@#$%^&*). Each category adds to the repertoire: lowercase only = 26 symbols, adding uppercase = 52, adding numbers = 62, adding symbols = 95. Some systems restrict certain symbols — check requirements before generating. Avoid ambiguous characters (l, I, 1, O, 0) if passwords will be manually transcribed.
3. Generate using cryptographically secure random source: The generator must use CSPRNG, not standard random functions. In browsers: window.crypto.getRandomValues(). In Python: secrets module (not random). In Node.js: crypto.randomBytes(). Standard random functions produce predictable sequences — attackers who observe one generated password can potentially predict others from the same seed.
4. Verify character distribution: Ensure the generated password includes at least one character from each selected type. A 16-character password using only lowercase letters wastes potential entropy. Some generators use "guaranteed inclusion" algorithms: first pick one character from each required type, then fill remaining positions randomly. This prevents accidentally weak outputs from purely random generation.
5. Check against common password lists: Compare the generated password against databases of leaked passwords (Have I Been Pwned, RockYou list, etc.). Even random generation can occasionally produce "Password123" or "qwerty" — exclude these. The strength checker should reject any password appearing in the top 100,000 most common passwords, regardless of theoretical entropy.
6. Calculate and display strength metrics: Show entropy in bits, estimated crack time, and a simple rating (Weak/Fair/Good/Strong/Very Strong). Include specific feedback: "Add 4 more characters to reach Strong rating" or "Include symbols to increase entropy by 8 bits." Actionable guidance helps users improve weak passwords rather than accepting generic "password is weak" messages.

5 Practical Password Generation Examples

Example 1 — Email Account (12 characters, alphanumeric + symbols):

• Length: 12 characters
• Character set: 95 (full ASCII)
• Generated: K7#mN2$pL9@x
• Entropy: 12 × log₂(95) = 78.8 bits
• Crack time at 100B guesses/sec: ~40,000 years
• Strength: Strong — suitable for personal email

Example 2 — Banking Account (20 characters, full ASCII):

• Length: 20 characters
• Character set: 95 (full ASCII)
• Generated: vR4&hT8!nM3@kL6#pW2%
• Entropy: 20 × log₂(95) = 131.4 bits
• Crack time: ~10 septillion years (longer than universe age)
• Strength: Very Strong — suitable for financial accounts

Example 3 — WiFi Password (16 characters, alphanumeric):

• Length: 16 characters (WPA2 recommends 16+)
• Character set: 62 (alphanumeric, symbols hard to enter on devices)
• Generated: aB3dE7gH9jK2mN5p
• Entropy: 16 × log₂(62) = 95.2 bits
• Crack time: ~15 million years
• Strength: Strong — suitable for WPA2/WPA3

Example 4 — Temporary Account (8 characters, alphanumeric):

• Length: 8 characters (minimum for low-risk temporary use)
• Character set: 62 (alphanumeric)
• Generated: xT4mK9pL
• Entropy: 8 × log₂(62) = 47.6 bits
• Crack time: ~3 months at 100B guesses/sec
• Strength: Fair — acceptable only for disposable accounts

Example 5 — Master Password for Password Manager (24 characters, full ASCII):

• Length: 24 characters (maximum protection for vault)
• Character set: 95 (full ASCII)
• Generated: Zq8#Lm3$Rt7!Wx2@Hy6&Np4%
• Entropy: 24 × log₂(95) = 157.7 bits
• Crack time: computationally infeasible
• Strength: Very Strong — protects all other passwords

4 Common Password Security Mistakes

• Using predictable substitutions (l33t speak): Replacing E with 3, A with @, or S with $ doesn't meaningfully increase security. Attackers' dictionaries include common leet variations: "P@ssw0rd" appears in breach databases over 2 million times. "Tr0ub4dor&3" (xkcd's famous example) has only 28 bits of entropy despite symbols and numbers. True randomness beats clever substitutions every time.
• Reusing passwords across multiple accounts: Using the same password for email, banking, and shopping means one breached website compromises everything. The average person has 154 passwords but reuses them across 4-5 accounts each. Credential stuffing attacks try leaked credentials on 100+ popular sites automatically. Generate unique passwords for every account — password managers make this practical by storing and autofilling them.
• Creating passwords from personal information: Birthdates, pet names, favorite teams, and anniversaries are easily guessed from social media. "Fluffy2010!" (pet + year) appears in 47,000 breached accounts. Attackers scrape Facebook, Instagram, and LinkedIn to build personalized dictionaries. Even obscure personal facts (mother's maiden name, first car) are common security questions with answers findable online.
• Changing passwords on arbitrary schedules: NIST's current guidelines discourage mandatory 90-day password rotation unless compromise is suspected. Forced rotation causes predictable patterns: "Password1" becomes "Password2" then "Password3". Attackers who obtain one password can guess the next. Better approach: generate one very strong password, use it indefinitely, and monitor breach databases for exposure.

5 Pro Tips for Password Security

• Use a password manager with breach monitoring: Tools like Bitwarden, 1Password, and KeePass generate, store, and auto-fill unique passwords for every account. They alert you when stored credentials appear in new breach databases. Built-in generators create 20+ character passwords with full entropy. You only need to remember one master password — the manager handles the rest. Free options (Bitwarden) offer full functionality for individuals.
• Enable multi-factor authentication (MFA) everywhere available: MFA adds a second verification step beyond passwords — typically a time-based code from an authenticator app or hardware security key. Even if attackers steal your password, they can't access accounts without the second factor. Use authenticator apps (Authy, Google Authenticator) over SMS (vulnerable to SIM swapping). Hardware keys (YubiKey) provide strongest protection against phishing.
• Generate passphrases for memorizable high-security passwords: For passwords you must type manually (master passwords, device unlock), use the Diceware method: roll dice to select 5-7 random words from a 7,776-word list. "correct horse battery staple" (4 words) has 51 bits of entropy. "glimpse fractal meadow turbine sunset" (5 words) has 64 bits. Passphrases are easier to remember and type than random characters while maintaining strong security.
• Check existing passwords against breach databases: Use Have I Been Pwned (haveibeenpwned.com) or Firefox Monitor to check if your email/password combinations appear in known breaches. Over 13 billion accounts have been exposed in public breaches. If your password appears, change it immediately on that service AND any other account using the same password. Many password managers now include automatic breach monitoring.
• Implement rate limiting and account lockout on your own systems: If you build applications, protect user passwords with rate limiting (max 5 attempts per minute per IP) and progressive delays (1 second, then 5 seconds, then 30 seconds). After 10 failed attempts, temporarily lock the account and require email verification. This makes brute-force attacks impractical even against weak passwords. Never store passwords in plain text — use bcrypt, scrypt, or Argon2 with appropriate cost factors.

4 Password Security FAQs

Related Calculators

• Entropy Calculator — Calculates information entropy in bits for passwords and encryption keys
• Bcrypt Hash Generator — Creates secure password hashes for database storage
• Two-Factor Authentication Guide — Setup instructions for MFA across popular services
• Passphrase Generator — Creates memorable multi-word passwords using Diceware method
• Breach Checker — Verifies if your email appears in known data breaches