Password Generator

Strong, unique passwords are your first line of defense against cyber attacks. Our password generator creates cryptographically secure passwords that are virtually impossible to guess or crack.

Based on research by security firms using modern computing power, password complexity dramatically affects cracking time:

Source: Hive Systems Password Table 2025. Times based on brute-force attacks using modern GPU clusters. Quantum computing advances may change these estimates.

Pro Tips for Password Security

• Use this generator to create passwords you'll never remember - that's the point!
• Create a unique, memorable master password for your password manager
• Never save generated passwords to your browser clipboard for extended periods
• Generate new passwords periodically for your most important accounts
• Consider using passphrases for master passwords (4-6 random words)
• Immediately save generated passwords to your password manager

Understanding Password Entropy

Entropy measures password randomness and unpredictability in bits. Higher entropy means exponentially more difficult to crack.

• Formula: Entropy = log₂(possible_characters^length). Example: 10-char all-lowercase = log₂(26^10) ≈ 47 bits.
• Character Sets: Lowercase (26), Uppercase (26), Digits (10), Symbols (~32). Full set: 94 characters.
• Examples: 8-char lowercase = 38 bits, 12-char mixed+symbols = 79 bits, 16-char mixed+symbols = 105 bits.
• Security Threshold: NIST recommends minimum 80 bits entropy for secure systems. Banking/gov often require 128+ bits.
• Diminishing Returns: Adding length increases entropy linearly, but expanding character set has logarithmic impact.

Passphrases vs Random Passwords

Passphrases (multiple random words) offer memorability with high entropy, but mathematical trade-offs exist.

• Diceware Method: Roll dice to select random words from 7,776-word list. 6 words ≈ 77 bits entropy.
• Memorability: "correct horse battery staple" easier to remember than "Xk@9mP#2qL7w" despite similar entropy.
• Dictionary Attack Mitigation: Must use truly random word selection. Human-chosen phrases have predictable patterns.
• Length Trade-off: Passphrase requires ~25 chars for 80-bit entropy vs 12-char random password with symbols.
• Best Use: Master passwords for password managers where memorability critical.

Brute Force Attacks

Systematic trial of all possible password combinations until correct one found.

• Search Space: 8-char all-lowercase = 26^8 = 208 billion combinations. Modern GPU cracks in minutes.
• GPU Acceleration: NVIDIA RTX 4090 can attempt 100+ billion MD5 hashes/second. Slower for bcrypt/Argon2.
• Distributed Attacks: Botnets and cloud compute enable parallel attacks. Hash rate scales linearly with resources.
• Mitigation: Long passwords with large character sets. Each additional char multiplies search space.

Dictionary and Hybrid Attacks

Attackers use word lists, common passwords, and pattern variations before resorting to brute force.

• RockYou Breach (2009): 32 million plaintext passwords revealed common patterns. "password", "123456", "letmein" dominated.
• Rule-Based Attacks: Apply transformations (P@ssw0rd, password123, Password!) to dictionary words. Cracks 60%+ of weak passwords.
• Credential Stuffing: Stolen username/password pairs tried across multiple sites. Exploits password reuse.
• Keyboard Patterns: qwerty, asdf, 1qaz2wsx predictable and easily cracked despite appearing random.
• Defense: Truly random passwords from generators defeat dictionary attacks entirely.

Rainbow Table Attacks

Pre-computed hash tables allow instant password lookup from stolen hashes if no salt used.

• Time-Memory Trade-off: Pre-compute hashes for common passwords. Lookup instant vs hours of brute force.
• Table Size: 8-char lowercase rainbow table ≈ 64GB. Covers 99% of weak passwords.
• Salting Defense: Random per-user salt added to password before hashing. Makes rainbow tables useless.
• Modern Systems: All secure systems use salted hashes. Rainbow tables legacy threat for old/insecure systems.

Modern vs Legacy Hashing

How passwords are stored dramatically affects security. Weak hashing algorithms enable rapid cracking attacks.

• MD5/SHA1 (INSECURE): Designed for speed. GPUs compute billions/second. Never use for passwords.
• bcrypt (GOOD): Configurable work factor slows attackers. Industry standard since 1999. 10-15 rounds recommended.
• Argon2 (BEST): Winner of Password Hashing Competition 2015. Memory-hard, GPU-resistant, highly configurable.
• PBKDF2 (ACCEPTABLE): NIST-approved, widely supported. More vulnerable to GPU attacks than bcrypt/Argon2.
• Work Factor: Tunable parameter increases computation time. Double work factor every ~18 months as hardware improves.

Salting and Peppering

Additional techniques beyond basic hashing protect against pre-computation and mass cracking.

• Salt (Essential): Random string (128+ bits) unique per user added to password before hashing. Prevents rainbow tables.
• Salt Storage: Stored alongside hash in database. Not secret, just prevents pre-computation.
• Pepper (Optional): Secret value (not in database) added to all passwords. Protects if database stolen but server secure.
• Pepper Risk: If pepper changed, all passwords invalid. Must be managed carefully.

Why Randomness Matters

Password generators must use cryptographically secure PRNGs. Weak randomness enables prediction attacks.

• Math.random() (INSECURE): JavaScript's default PRNG predictable. Never use for passwords or security.
• crypto.getRandomValues() (SECURE): Browser Web Crypto API. Uses OS-level CSPRNG with hardware entropy.
• /dev/urandom (SECURE): Unix CSPRNG. Mixes hardware entropy with cryptographic hashing. Industry standard.
• Entropy Sources: CPU timing jitter, hardware RNG (rdrand), user input patterns, network timing.
• This Generator: Uses crypto.getRandomValues() for cryptographic-grade randomness.

Avoiding Bias in Character Selection

Naive random selection can introduce subtle biases reducing effective password entropy.

• Modulo Bias: random_int % charset_size favors lower characters if charset doesn't divide evenly into int range.
• Rejection Sampling: Generate random value, reject if outside valid range, repeat. Eliminates bias entirely.
• Fisher-Yates Shuffle: For password shuffling, ensures all permutations equally likely.
• Character Guarantees: Ensure at least one from each selected type. Naive approach: force insert, then shuffle.

Zero-Knowledge Password Proofs

Modern authentication protocols allow proving password knowledge without transmitting it.

• SRP Protocol: Secure Remote Password proves password knowledge via mathematical challenge without revealing it.
• Benefits: Server never sees plaintext password. Even compromised server can't reveal user passwords.
• Implementation: 1Password, ProtonMail use SRP. More complex than traditional hash storage.
• Trade-offs: Requires cryptographic computation client-side. Incompatible with legacy systems.

Password Strength Meters Accuracy

Strength meters provide feedback but vary widely in accuracy and methodology.

• Naive Meters: Count character types and length. Miss patterns like "Password1!" which meets rules but weak.
• zxcvbn (Dropbox): Sophisticated meter detecting patterns, dictionary words, keyboard patterns, date sequences.
• Crack Time Estimation: Estimates time to crack based on likely attack methods (dictionary → brute force).
• User Psychology: Meters influence user behavior. Aggressive rejection improves security but frustrates users.