Password Generator Online — Create Strong Random Passwords Free
A password generator creates cryptographically random passwords to a specification you control — length, uppercase, lowercase, numbers, symbols. The result is a password with enough entropy to resist brute-force attacks for years. The free password generator on PublicSoftTools generates passwords locally in your browser using the Web Cryptography API — they are never sent to a server.
Password Strength by Length and Character Set
| Length / type | Character set | Entropy (bits) | Estimated crack time | Verdict |
|---|---|---|---|---|
| 8 characters | Lowercase only (26) | 38 bits | Seconds to minutes | Dangerously weak |
| 8 characters | Alphanumeric (62) | 48 bits | Minutes to hours | Weak — below minimum |
| 10 characters | Full (95 chars) | 66 bits | Months to years | Marginal — upgrade |
| 12 characters | Full (95 chars) | 79 bits | Thousands of years | Acceptable minimum |
| 16 characters | Full (95 chars) | 105 bits | Trillions of years | Strong — recommended |
| 20 characters | Full (95 chars) | 131 bits | Effectively impossible | Excellent — for critical accounts |
| 5 random words (passphrase) | Diceware (7776 words) | ~65 bits | Billions of years | Strong and memorable |
| 7 random words (passphrase) | Diceware (7776 words) | ~90 bits | Effectively impossible | Excellent and memorable |
How to Use the Password Generator
- Open the password generator.
- Set the length. Use the slider to choose password length. 16 characters minimum for most accounts; 20+ for financial, email, and admin accounts.
- Choose character sets. Toggle uppercase (A–Z), lowercase (a–z), numbers (0–9), and symbols (!@#$%^&*). Include all four for maximum strength unless the service has restrictions.
- Generate. Click Generate to create a new random password. Click again to regenerate.
- Copy and save. Copy and immediately paste into your password manager. Do not save in plain text documents or emails.
What Makes a Password Strong
Password strength is measured by entropy — the number of possible combinations an attacker must try to guess the password by brute force. Entropy is calculated as: bits = log₂(character_set_size^length) = length × log₂(character_set_size).
Practical implications:
- A 16-character lowercase-only password has 26¹⁶ ≈ 4.4 × 10²² combinations — more than sufficient
- An 8-character full-character-set password has 95⁸ ≈ 6.6 × 10¹⁵ combinations — crackable in hours with modern hardware
- Length multiplies entropy linearly; adding character types multiplies it logarithmically
- The practical lesson: length is more important than complexity — a 20-character lowercase random string beats a 10-character complex password
Common Password Mistakes
| Mistake | Example | Risk | Fix |
|---|---|---|---|
| Using personal information | name1990!, dog+birthday, pet+street | Targeted guessing by someone who knows you; OSINT attacks from social media | Use a generator — random passwords have no personal connection |
| Password reuse | Same password on Gmail, banking, and Amazon | Single breach compromises all accounts (credential stuffing). 65%+ of breaches involve reused credentials. | Unique generated password for every account — use a password manager to store them |
| Predictable patterns | Password1!, Welcome2024, P@ssw0rd | These are in every attacker's dictionary. Complexity requirements met without security benefit. | Random characters — no dictionary words, no substitutions like @ for a |
| Short passwords with symbols | P@ss!9 (6 chars) | Short passwords are cracked fast regardless of character set. 6-char all-symbol can still be cracked. | Length beats complexity — 16 random lowercase > 8 complex characters |
| Writing passwords down insecurely | Sticky note on monitor, .txt file on desktop | Physical or digital access exposes all credentials at once | Use a password manager with strong master passphrase + 2FA |
| Sharing passwords | Emailing password to colleague, sharing Netflix login via text | Transmission interception; credential now outside your control | Use built-in sharing in password manager (Bitwarden, 1Password) — encrypted, permission-controlled |
Passphrases vs. Random Character Passwords
A passphrase is a sequence of random words: correct-horse-battery-staple, violet-lamp-seven-ocean-table. Advantages:
- Memorable without writing down: 4–5 random words are much easier to recall than r8#Kz!mQxL
- High entropy: 5 random words from a 7,776-word diceware list = 7,776⁵ combinations ≈ 2.8 × 10¹⁹ — more secure than most character-based passwords of moderate length
- Resistant to keyboard walk attacks: Patterns like qwerty123, asdfghjk are in every attacker dictionary; random words are not
- Better for master passwords: Your password manager master password should be a passphrase you can type from memory — use 6–7 words for excellent security
The recommendation: use random character passwords (generated here) for regular accounts stored in your password manager; use a passphrase for your password manager master password and any other password you must memorise.
Using a Password Manager
You cannot memorise 50+ unique 20-character passwords. A password manager solves this:
- Bitwarden (free): Open-source, cloud-sync, audited. Free tier covers unlimited passwords across devices. One of the most recommended managers.
- 1Password: Excellent UX; family and team sharing; Travel Mode. Subscription-based.
- KeePass (free): Open-source, local storage only (you control your data). No cloud sync by default.
- Apple Keychain / Google Password Manager: Built into iOS/macOS and Android/Chrome. Good for users within those ecosystems. Less portable.
A good password manager:
- Generates strong passwords for new accounts
- Autofills on login — no typing, resistant to keyloggers
- Flags reused and weak passwords in your vault
- Alerts you when sites you use are breached (Have I Been Pwned integration)
- Works across all your devices
The password strength checker can help you audit existing passwords to find weak or reused ones before migrating to a manager.
Two-Factor Authentication: The Second Layer
Even the strongest password can be phished or stolen in a data breach. Two-factor authentication (2FA) adds a second verification step that attackers cannot use without your physical device:
- TOTP authenticator apps: Google Authenticator, Authy, Microsoft Authenticator. 6-digit codes that change every 30 seconds. Much more secure than SMS codes.
- Hardware security keys (FIDO2/U2F): YubiKey, Google Titan Key. Physical device that must be present. Most secure option — resistant to phishing.
- SMS / email 2FA: Better than nothing but weakest form — SIM swapping attacks can bypass SMS codes.
- Passkeys: The emerging replacement for passwords — cryptographic key pairs stored on device; phishing-proof; supported by Apple, Google, Microsoft, and major sites.
Enable 2FA on: email accounts (highest priority — email is the recovery method for everything else), banking and financial accounts, password manager, social media, and any account storing sensitive data.
NIST Password Guidance: What Security Agencies Now Recommend
NIST SP 800-63B (the US standard for digital identity authentication) revised password guidance based on research into actual attacker behaviour:
- Do not require periodic password changes unless there is evidence of compromise — forced rotation leads to weaker passwords (password1 → password2)
- Do not require complex composition rules (e.g., must contain uppercase, number, symbol) — these produce predictable patterns (Password1!, Welcome2024) rather than genuine randomness
- Do require minimum 8 characters — ideally support longer passwords up to 64+ characters
- Check against known compromised passwords — reject passwords found in breach databases (e.g., "123456", "password")
- Allow all printable characters including spaces (for passphrases) — do not arbitrarily restrict character sets
The practical implication: a long, randomly generated password that never changes is more secure than a moderately complex password changed every 90 days.
Common Questions
Is it safe to generate passwords in a browser?
This generator uses the Web Cryptography API (window.crypto.getRandomValues()) — the browser's built-in cryptographically secure random number generator. The password is generated entirely locally in your browser and is never transmitted to any server. It is safe to use on a trusted device on a trusted network. The generator has no server-side component, no analytics tracking of passwords, and no logging.
Should I avoid certain characters?
Some websites reject certain special characters — particularly quotes (' "), backslashes (\), angle brackets (< >), or non-ASCII characters. If a generated password is rejected at signup, regenerate without symbols or toggle only safe symbols (!@#$%^&*). Most reputable services accept all printable ASCII characters — poor character restrictions are a sign of weak input sanitisation, which is itself a security concern.
How often should I change my password?
Per NIST SP 800-63B: change a password when (1) you know or suspect it has been compromised, (2) the service reports a data breach affecting your account, (3) you have shared it with someone who no longer needs access, or (4) it is weak or reused and you are migrating to a manager. Do not change passwords on a fixed schedule without these triggers — routine rotation without cause produces weaker passwords, not stronger ones.
Generate a Secure Password
Create a cryptographically random password with your choice of length and character set — generated locally in your browser and never sent to a server.
Open Password Generator