Pattern-aware estimate: dictionary words, sequences, repeats, keyboard runs and dates are penalised, so it is more realistic than raw character math. The optional breach check uses Have I Been Pwned via k-anonymity — only the first 5 characters of a hash are sent, never your password.
The generator, strength checker and breach check above are free forever. Pro adds power-user tools for people who make a lot of passwords:
- Policy rules — force a minimum number of digits, symbols and capitals (to satisfy strict sites), and forbid repeats & sequences.
- Labelled batch + export — generate many at once, tag each with a site name, and export to CSV, TXT or JSON.
- Saved list — keep generated passwords on this device, with one-file backup & restore.
Want to try first? Use demo code AV-PASSWORD-GEN-DEMO to preview every Pro feature on this device.
Free, open-source password manager to store all your generated passwords securely.
Try Bitwarden FreeProtect your accounts with encrypted browsing — essential for public Wi-Fi.
Get NordVPNRemove your personal data from data brokers to reduce targeted attack risk.
Remove My DataWhy Your Passwords Probably Are Not Strong Enough
Most people underestimate how fast modern computers can guess passwords. A GPU cluster can attempt 10 billion guesses per second against a plaintext or weakly-hashed password database. An 8-character password using only letters and numbers offers about 41 bits of entropy — crackable in under two hours. Adding symbols and increasing length to 12 characters jumps to 79 bits — hundreds of years of cracking time. The difference between weak and strong is just a few more characters.
This password generator uses the browser's built-in cryptographic random number generator
(crypto.getRandomValues) to produce passwords with genuine randomness — not the weaker
Math.random() function used by many sites. A rejection-sampling algorithm eliminates
modulo bias, so every character in the pool is equally likely to appear.
Passphrases — Strong Passwords You Can Actually Remember
A passphrase is a sequence of random words: "Coral-Tribe-Wafer-Snack-Pilot." It is longer than a typical password, making it very hard to crack, yet memorable because words are meaningful to humans. The passphrase generator uses the EFF Short Wordlist, a curated set of 1,296 common English words chosen for memorability and clarity.
Five words from this list yields 51.7 bits of entropy. Six words reach 62 bits — stronger than most 10-character random passwords. Add a number suffix and you exceed 68 bits. Eight words gives 82.7 bits, putting your passphrase in the Very Strong tier with billions of years of estimated crack time even for well-funded attackers.
Understanding the Strength Meter
The strength meter shows entropy in bits — a direct mathematical measure of randomness. More bits means exponentially more guesses required. The formula is simple: H = L × log₂(R), where L is the password length and R is the size of the character pool. A 16-character password using all four character classes has a pool of 94 characters: 16 × log₂(94) = 16 × 6.555 = 104.9 bits of entropy. That requires roughly 1021 guesses — billions of years at 10 billion guesses per second.
The meter assumes a brute-force attack. Real-world security also depends on your service's hashing algorithm: bcrypt and Argon2 slow attackers dramatically; MD5 does not. Always prefer services that store passwords with modern, slow hashing functions.
Character Classes and Pool Sizes Explained
Lowercase letters alone give a pool of 26. Add uppercase and you reach 52. Add digits for 62. Include symbols and the pool grows to 94 printable ASCII characters. Each additional character class significantly increases the entropy per character. The "exclude ambiguous" option removes O, 0, l, 1, and I — reducing the pool slightly but preventing transcription errors when you must type a password by hand.
The symbol set defaults to 22 common keyboard symbols safe for most password fields:
! @ # $ % ^ & * ( ) - _ = + [ ] { } ; : ? /. These are broadly accepted across
websites and apps without causing parsing or escaping issues.
Check Your Password Against Real Data Breaches
A password can be long and random and still be unsafe if it has already leaked. Attackers rarely start by guessing — they start with "credential stuffing," replaying billions of username and password pairs collected from past breaches. This tool checks any password against the Have I Been Pwned Pwned Passwords database, which holds more than 600 million real leaked passwords. The check uses k-anonymity: your password is hashed with SHA-1 in your browser, and only the first five characters of that hash are sent to the API. The service returns every leaked hash sharing that prefix, and the final match is completed locally — so your actual password never leaves your device. It is the same privacy-preserving method password managers such as Bitwarden and 1Password use.
A Strength Meter That Detects Patterns, Not Just Length
Counting character types is easy to fool: P@ssw0rd1 looks complex but is trivial to crack
because it is a dictionary word with predictable substitutions. The strength checker estimates strength
the way modern tools (and the well-known zxcvbn library) do — it looks for dictionary words, keyboard
walks like "qwerty", number and letter runs like "1234" or "abcd", repeated characters, repeated
patterns, and embedded years, then lowers the score and tells you exactly what to fix. Generated random
passwords keep their full theoretical entropy because there is nothing predictable to find; only
human-chosen passwords get marked down.
One-Tap Presets and a Pro Power Pack
Quick presets configure the generator in a single tap: Max security uses every character class, Easy to read drops ambiguous characters, Easy to type sticks to letters, PIN produces a numeric code, and Memorable switches to passphrase mode. For people who create passwords in volume, the optional Pro Power Pack adds policy-rule generation (guarantee a minimum number of digits, symbols and capitals, and forbid repeats or sequences to satisfy strict corporate password fields), labelled batch generation with CSV, TXT and JSON export, and an on-device saved list with one-file backup and restore. Everything stays in your browser; nothing is uploaded.
More Free Privacy Tools
Like this tool, the rest of the AppVitamins fleet runs in your browser with nothing uploaded. Try the QR Code Generator to share Wi-Fi or links offline, PDF Local Tools to merge and split PDFs privately, or Token Tally to count tokens in AI prompts. You can also browse the AppVitamins store to own the Pro power pack as a one-time purchase or unlock everything with the All-Access pass.
Frequently Asked Questions
Is this password generator safe to use?
crypto.getRandomValues(),
which is the same cryptographic API used by security software. Nothing is transmitted to any server.
You can disconnect from the internet and the tool still works. The source code is readable directly
in your browser's developer tools.
What is entropy in bits?
Why should I use a passphrase instead of a random password?
What does "exclude ambiguous characters" mean?
Can I check if my password has been in a data breach?
How realistic is the strength estimate?
Get free tool updates
Security tips, new tools, and breach alerts — no spam. Unsubscribe any time.