PublicSoftTools
Tools16 min read·PublicSoftTools Team·May 2026

Password Generator Online — Create Strong Random Passwords Free

A password generator creates cryptographically random passwords to a specification you control — length, uppercase, lowercase, numbers, symbols. The result is a password with enough entropy to resist brute-force attacks for years. The free password generator on PublicSoftTools generates passwords locally in your browser using the Web Cryptography API — they are never sent to a server.

Password Strength by Length and Character Set

Length / typeCharacter setEntropy (bits)Estimated crack timeVerdict
8 charactersLowercase only (26)38 bitsSeconds to minutesDangerously weak
8 charactersAlphanumeric (62)48 bitsMinutes to hoursWeak — below minimum
10 charactersFull (95 chars)66 bitsMonths to yearsMarginal — upgrade
12 charactersFull (95 chars)79 bitsThousands of yearsAcceptable minimum
16 charactersFull (95 chars)105 bitsTrillions of yearsStrong — recommended
20 charactersFull (95 chars)131 bitsEffectively impossibleExcellent — for critical accounts
5 random words (passphrase)Diceware (7776 words)~65 bitsBillions of yearsStrong and memorable
7 random words (passphrase)Diceware (7776 words)~90 bitsEffectively impossibleExcellent and memorable

How to Use the Password Generator

  1. Open the password generator.
  2. Set the length. Use the slider to choose password length. 16 characters minimum for most accounts; 20+ for financial, email, and admin accounts.
  3. Choose character sets. Toggle uppercase (A–Z), lowercase (a–z), numbers (0–9), and symbols (!@#$%^&*). Include all four for maximum strength unless the service has restrictions.
  4. Generate. Click Generate to create a new random password. Click again to regenerate.
  5. Copy and save. Copy and immediately paste into your password manager. Do not save in plain text documents or emails.

What Makes a Password Strong

Password strength is measured by entropy — the number of possible combinations an attacker must try to guess the password by brute force. Entropy is calculated as: bits = log₂(character_set_size^length) = length × log₂(character_set_size).

Practical implications:

Common Password Mistakes

MistakeExampleRiskFix
Using personal informationname1990!, dog+birthday, pet+streetTargeted guessing by someone who knows you; OSINT attacks from social mediaUse a generator — random passwords have no personal connection
Password reuseSame password on Gmail, banking, and AmazonSingle breach compromises all accounts (credential stuffing). 65%+ of breaches involve reused credentials.Unique generated password for every account — use a password manager to store them
Predictable patternsPassword1!, Welcome2024, P@ssw0rdThese are in every attacker's dictionary. Complexity requirements met without security benefit.Random characters — no dictionary words, no substitutions like @ for a
Short passwords with symbolsP@ss!9 (6 chars)Short passwords are cracked fast regardless of character set. 6-char all-symbol can still be cracked.Length beats complexity — 16 random lowercase > 8 complex characters
Writing passwords down insecurelySticky note on monitor, .txt file on desktopPhysical or digital access exposes all credentials at onceUse a password manager with strong master passphrase + 2FA
Sharing passwordsEmailing password to colleague, sharing Netflix login via textTransmission interception; credential now outside your controlUse built-in sharing in password manager (Bitwarden, 1Password) — encrypted, permission-controlled

Passphrases vs. Random Character Passwords

A passphrase is a sequence of random words: correct-horse-battery-staple, violet-lamp-seven-ocean-table. Advantages:

The recommendation: use random character passwords (generated here) for regular accounts stored in your password manager; use a passphrase for your password manager master password and any other password you must memorise.

Using a Password Manager

You cannot memorise 50+ unique 20-character passwords. A password manager solves this:

A good password manager:

The password strength checker can help you audit existing passwords to find weak or reused ones before migrating to a manager.

Two-Factor Authentication: The Second Layer

Even the strongest password can be phished or stolen in a data breach. Two-factor authentication (2FA) adds a second verification step that attackers cannot use without your physical device:

Enable 2FA on: email accounts (highest priority — email is the recovery method for everything else), banking and financial accounts, password manager, social media, and any account storing sensitive data.

NIST Password Guidance: What Security Agencies Now Recommend

NIST SP 800-63B (the US standard for digital identity authentication) revised password guidance based on research into actual attacker behaviour:

The practical implication: a long, randomly generated password that never changes is more secure than a moderately complex password changed every 90 days.

Common Questions

Is it safe to generate passwords in a browser?

This generator uses the Web Cryptography API (window.crypto.getRandomValues()) — the browser's built-in cryptographically secure random number generator. The password is generated entirely locally in your browser and is never transmitted to any server. It is safe to use on a trusted device on a trusted network. The generator has no server-side component, no analytics tracking of passwords, and no logging.

Should I avoid certain characters?

Some websites reject certain special characters — particularly quotes (' "), backslashes (\), angle brackets (< >), or non-ASCII characters. If a generated password is rejected at signup, regenerate without symbols or toggle only safe symbols (!@#$%^&*). Most reputable services accept all printable ASCII characters — poor character restrictions are a sign of weak input sanitisation, which is itself a security concern.

How often should I change my password?

Per NIST SP 800-63B: change a password when (1) you know or suspect it has been compromised, (2) the service reports a data breach affecting your account, (3) you have shared it with someone who no longer needs access, or (4) it is weak or reused and you are migrating to a manager. Do not change passwords on a fixed schedule without these triggers — routine rotation without cause produces weaker passwords, not stronger ones.

Generate a Secure Password

Create a cryptographically random password with your choice of length and character set — generated locally in your browser and never sent to a server.

Open Password Generator