Password Generator
Generate strong, random passwords with customizable length, uppercase, numbers, and special characters.
About the Password Generator
A strong, unique password for every account is the single most effective personal cybersecurity measure available to ordinary users. Data breaches at large companies expose hundreds of millions of passwords every year - Have I Been Pwned (haveibeenpwned.com) has catalogued over 13 billion compromised accounts. If you reuse the same password across accounts, a breach at one service compromises all of them. The only defence is a unique, strong password for every account.
Password strength is mathematically quantifiable. A 12-character password using uppercase, lowercase, numbers, and symbols has a character space of 95 possible characters - giving 95^12 or roughly 540 quintillion combinations. At 1 trillion guesses per second (the approximate speed of modern GPU cracking rigs), that would take 17,000 years to brute-force. A 16-character password of the same type would take 540 million years. Length is the single most powerful variable in password strength.
This generator uses the Web Crypto API - your browser's built-in cryptographic random number source. Passwords are generated entirely on your device and are never transmitted to any server. The generation happens locally in JavaScript, which you can verify by turning off your internet connection and testing that the generator still works. For critical accounts (banking, email, UPI apps), generate a 20+ character mixed password and store it in a password manager like Bitwarden (free, open-source) or the built-in manager in Chrome or Safari.
Password Strength
Entropy bits = log2(charset_size^length) - 12 char mixed = 2^72 combinations = trillions of years to brute-force
Lowercase only (26 chars): 12 chars = 26^12 approx 95 trillion combinations - Mixed (95 printable ASCII): 12 chars = 95^12 approx 540 quintillion - Each additional character of mixed set multiplies strength by 95x
Worked Example
Password policy requirements: minimum 12 characters, mixed case, numbers, symbols
Entropy: 105 bits - Estimated brute-force time (1 trillion guesses/sec): 1.2 quintillion years - Classification: Extremely strong
Tips & Insights
- 1
Use a password manager to store a unique password for every account. Bitwarden is free, open-source, and cross-platform. You only need to remember one strong master password - the manager handles the rest. This is the single most impactful security step you can take.
- 2
Enable two-factor authentication (2FA) on every account that offers it, especially email, banking, and social media. A compromised password cannot be used without your phone. Use an authenticator app (Google Authenticator, Authy) rather than SMS-based 2FA when possible.
- 3
Never use personal information in passwords - your name, birthday, phone number, or pet name are the first things an attacker tries. These form the core of dictionary attack wordlists that run millions of personalised guesses per second.
- 4
A passphrase of 4-5 random words (for example: correct-horse-battery-staple) is cryptographically as strong as a 12-character mixed password and far easier to remember for the few accounts where you must type the password yourself.
- 5
Check if your email has been in a known breach at haveibeenpwned.com. If it has appeared in any breach, every account where you used that password should be treated as compromised, even if you have not noticed any unauthorised activity.
- 6
Indian banking apps and UPI platforms have strict character limits on PINs and passwords - sometimes only 4-6 digits. For these, enable biometric authentication wherever available, as it adds a strong second factor without relying on the password length.
- 7
Do not save passwords in plain text documents, spreadsheets, or notes apps. If your device is accessed physically or your cloud notes are breached, all your passwords are exposed at once. A password manager encrypts the vault with your master password - even the service provider cannot read your stored passwords.
Why this matters for you
India reported over 13 million cybercrime incidents in 2023, with financial fraud and account takeover accounting for a significant share. UPI transaction fraud, banking credential theft, and social media account hijacking are all primarily enabled by weak or reused passwords. A 16-character randomly generated password that is unique to one account provides protection that no attacker has ever cracked through brute force alone.
Most account breaches do not happen through brute-force cracking - they happen through phishing (tricking you into entering credentials on a fake site) or through the resale of previously breached password databases. A strong password only protects you against one of these vectors. But using a unique password for every account - the second key practice this tool enables - is your protection against database breach reuse. When LinkedIn's password database was breached in 2012, accounts at hundreds of other services were compromised because users had reused the same password.
The inconvenience objection to strong unique passwords - that they are impossible to remember - is real and has historically been a barrier to adoption. Password managers solve this completely: you remember one master password and the manager generates, stores, and auto-fills unique strong passwords for every site. The one-time investment of 30 minutes to set up Bitwarden or 1Password eliminates the password memorisation problem permanently. This generator is the first step: generate a strong password, then let your manager remember it.
Related Calculators
Random Number
Generate random numbers in any range. Single or multiple numbers, integers or decimals.
Unit Price
Compare the price per unit of different product sizes or brands to find the best value for money.
Recipe Scale
Scale any recipe up or down. Enter original servings and target servings to get adjusted ingredient quantities.
Frequently Asked Questions
What makes a strong password?+
A strong password has: 12+ characters, a mix of uppercase and lowercase letters, numbers, and special symbols, no dictionary words or personal information, and is unique for each account.
Is this password generator safe?+
Yes. Passwords are generated entirely in your browser using the Web Crypto API - nothing is sent to any server, stored, or logged. Each refresh produces a completely new password.
How long should my password be?+
Minimum 12 characters for most accounts. For critical accounts (banking, email), use 16–20 characters. A 16-character random password takes trillions of years to brute-force with current technology.
Should I use a password manager?+
Yes. A password manager (Bitwarden, 1Password, Google Password Manager) lets you use a unique, strong password for every site without memorizing them. This is significantly safer than reusing passwords.
How long should a strong password be in 2025?+
Password length is the single most important factor for security. Recommended minimums: Basic accounts like forums and newsletters - 12 characters. Email, banking, social media - 16 characters. High-value accounts like crypto wallets and primary email - 20 or more characters. A 12-character random password takes approximately 34,000 years to brute-force; a 16-character password takes trillions of years with current hardware. Even using only lowercase letters, a 20-character password is more secure than a 10-character one with all character types. Use a password manager to store unique 20-character passwords for every site.
What should I avoid in a password even if it is long?+
Length helps, but certain patterns reduce security even in long passwords. Avoid dictionary words and common substitutions (P@ssw0rd, Tr0uble - attackers use substitution dictionaries). Avoid keyboard walks (qwerty, 1234567, asdfgh). Avoid personal information (birthdate, name, phone number). Avoid repeating patterns (aaaaaa, 123123). Avoid reusing parts of old passwords. A truly random 12-character password like x4!mK9nPqR2e is exponentially stronger than a memorable 20-character phrase because automated cracking tools are specifically trained on human-constructed passwords and common patterns. This generator uses Web Crypto to produce output free of these predictable patterns.
How do I manage many strong passwords without forgetting them?+
The recommended approach is to not memorise them at all - use a password manager. Bitwarden is free and open source; 1Password and Dashlane are paid options. A password manager stores all passwords encrypted with a single master password that only you know. You memorise one strong master password and the manager fills in all others automatically on Android, iOS, and desktop. For the master password, use a passphrase: four or more random unrelated words - 'cloud brick orange violin' is highly memorable and its 28 characters make it extremely hard to brute-force. Major Indian banks (SBI, HDFC, ICICI) support password managers through their standard web and app login flows.