Password Generator
Generate strong, random passwords with customizable length, uppercase, numbers, and special characters.
About the Password Generator
A strong, unique password for every account is the single most effective personal cybersecurity measure available to ordinary users. Data breaches at large companies expose hundreds of millions of passwords every year - Have I Been Pwned (haveibeenpwned.com) has catalogued over 13 billion compromised accounts. If you reuse the same password across accounts, a breach at one service compromises all of them. The only defence is a unique, strong password for every account.
Password strength is mathematically quantifiable. A 12-character password using uppercase, lowercase, numbers, and symbols has a character space of 95 possible characters - giving 95^12 or roughly 540 quintillion combinations. At 1 trillion guesses per second (the approximate speed of modern GPU cracking rigs), that would take 17,000 years to brute-force. A 16-character password of the same type would take 540 million years. Length is the single most powerful variable in password strength.
This generator uses the Web Crypto API - your browser's built-in cryptographic random number source. Passwords are generated entirely on your device and are never transmitted to any server. The generation happens locally in JavaScript, which you can verify by turning off your internet connection and testing that the generator still works. For critical accounts (banking, email, UPI apps), generate a 20+ character mixed password and store it in a password manager like Bitwarden (free, open-source) or the built-in manager in Chrome or Safari.
Password Strength
Entropy bits = log2(charset_size^length) - 12 char mixed = 2^72 combinations = trillions of years to brute-force
Lowercase only (26 chars): 12 chars = 26^12 approx 95 trillion combinations - Mixed (95 printable ASCII): 12 chars = 95^12 approx 540 quintillion - Each additional character of mixed set multiplies strength by 95x
Worked Example
Password policy requirements: minimum 12 characters, mixed case, numbers, symbols
Entropy: 105 bits - Estimated brute-force time (1 trillion guesses/sec): 1.2 quintillion years - Classification: Extremely strong
Tips & Insights
- 1
Use a password manager to store a unique password for every account. Bitwarden is free, open-source, and cross-platform. You only need to remember one strong master password - the manager handles the rest. This is the single most impactful security step you can take.
- 2
Enable two-factor authentication (2FA) on every account that offers it, especially email, banking, and social media. A compromised password cannot be used without your phone. Use an authenticator app (Google Authenticator, Authy) rather than SMS-based 2FA when possible.
- 3
Never use personal information in passwords - your name, birthday, phone number, or pet name are the first things an attacker tries. These form the core of dictionary attack wordlists that run millions of personalised guesses per second.
- 4
A passphrase of 4-5 random words (for example: correct-horse-battery-staple) is cryptographically as strong as a 12-character mixed password and far easier to remember for the few accounts where you must type the password yourself.
- 5
Check if your email has been in a known breach at haveibeenpwned.com. If it has appeared in any breach, every account where you used that password should be treated as compromised, even if you have not noticed any unauthorised activity.
- 6
Indian banking apps and UPI platforms have strict character limits on PINs and passwords - sometimes only 4-6 digits. For these, enable biometric authentication wherever available, as it adds a strong second factor without relying on the password length.
- 7
Do not save passwords in plain text documents, spreadsheets, or notes apps. If your device is accessed physically or your cloud notes are breached, all your passwords are exposed at once. A password manager encrypts the vault with your master password - even the service provider cannot read your stored passwords.
Why this matters for you
India reported over 13 million cybercrime incidents in 2023, with financial fraud and account takeover accounting for a significant share. UPI transaction fraud, banking credential theft, and social media account hijacking are all primarily enabled by weak or reused passwords. A 16-character randomly generated password that is unique to one account provides protection that no attacker has ever cracked through brute force alone.
Most account breaches do not happen through brute-force cracking - they happen through phishing (tricking you into entering credentials on a fake site) or through the resale of previously breached password databases. A strong password only protects you against one of these vectors. But using a unique password for every account - the second key practice this tool enables - is your protection against database breach reuse. When LinkedIn's password database was breached in 2012, accounts at hundreds of other services were compromised because users had reused the same password.
The inconvenience objection to strong unique passwords - that they are impossible to remember - is real and has historically been a barrier to adoption. Password managers solve this completely: you remember one master password and the manager generates, stores, and auto-fills unique strong passwords for every site. The one-time investment of 30 minutes to set up Bitwarden or 1Password eliminates the password memorisation problem permanently. This generator is the first step: generate a strong password, then let your manager remember it.
Related Calculators
Random Number
Generate random numbers in any range. Single or multiple numbers, integers or decimals.
Unit Price
Compare the price per unit of different product sizes or brands to find the best value for money.
Recipe Scale
Scale any recipe up or down. Enter original servings and target servings to get adjusted ingredient quantities.