Password Generator + Strength Meter — Crypto-Safe + Passphrase Mode
Generate strong random passwords 4-128 chars with crypto.getRandomValues + zxcvbn strength meter estimating crack time. EFF-style passphrase mode: 4-12 random words, easier to remember. 100% client-side, no logging.
Why use this tool
Math.random() is NOT crypto-safe (predictable after N samples). The tool uses Web Crypto crypto.getRandomValues — true OS-level randomness.
Dropbox's zxcvbn lib scores 0-4 + estimates crack time at 10 guess/sec online. Beyond simplistic 'has a symbol = strong'.
4 random words with separator — entropy equivalent to a 12-char random password but easier to remember + faster to type. Diceware methodology.
How to use
- 1Pick Password (random chars) or Passphrase (word chain).
- 2Password: length 4-128, toggle lower/upper/digit/symbol + exclude ambiguous (I, l, 1, O, 0).
- 3Passphrase: 3-12 words + separator (- / _ / space) + capitalize + add number.
- 4Click Generate. Strength meter + crack time estimate appear in real time.
How to generate strong passwords
Weak passwords are the root cause for 80%+ of data breaches. Per Verizon DBIR 2024, credential stuffing + password reuse remain the #1 attack vector. This tool applies 2025 best practice: random from a crypto-safe source, default length >= 16, and supports passphrases for passwords humans must remember.
Why crypto.getRandomValues matters: JS's Math.random() is implemented via Mersenne Twister or Xorshift — predictable after roughly 624 consecutive samples. Web Crypto crypto.getRandomValues pulls entropy from the OS (hardware noise / TPM / /dev/urandom) — unpredictable.
Passphrase vs password: 4 EFF-wordlist words (each ~7,776 vocab) give ~51 bits entropy — equivalent to an 8-char random alphanumeric password. 6 words give 77 bits — equivalent to a 13-char random one. Passphrases are ~10x easier to remember. Recommended for master passwords (email, password manager).
Zxcvbn (Dropbox 2012, still maintained) scores smarter than 'has a number + a symbol = strong'. It detects patterns ('password123' = 'pass'+'word'+'123' → weak), substitution ('p@ssw0rd' ≈ 'password' → weak), common phrases, l33tspeak, sequential, repeats. Estimates 4 scenarios (offline fast/slow, online no-throttle/throttle).
- ✓crypto.getRandomValues (Web Crypto)
- ✓Length 4-128
- ✓4 charset toggles
- ✓Exclude ambiguous chars
- ✓Passphrase 3-12 EFF-style words
- ✓Zxcvbn 0-4 strength meter
- ✓Crack time estimate
- ✓100% client-side — no logging
FAQ
Does the password get sent to a server?
NO. 100% generated in your browser via crypto.getRandomValues. The server doesn't see passwords. You can disable internet after page load — the tool still works.
Why is my 8-char password 'Weak'?
Zxcvbn estimates per online attack (10 guess/sec) — 8 chars random is ~days. But offline crack (10B guess/sec with GPU) is seconds. Recommend >= 12-16 for production.
Is a 4-word passphrase really strong?
Yes, if words are truly random from a large list. 4 × log2(7776) ≈ 51 bits — enough against online attacks for decades. Up to 6 words for master passwords.
Are symbols really necessary in a password?
Increases entropy but worsens UX (slow on mobile). 2025 best practice: a 20-char alphanumeric beats a 10-char one with symbols. Length > complexity.