Advertisement
AppVitamins Fleet

Password Generator

Strong passwords, passphrases, a realistic strength checker & a data-breach lookup — generation runs 100% on your device

Password Options
20

Quick presets:
Strength Meter
— bits
Pool size: —  |  Length: —
Estimate at 10 billion guesses/second — actual security depends on hashing algorithm used.
Advertisement
Check an Existing Password
Generate Multiple Passwords
⚡ Pro Power Pack

The generator, strength checker and breach check above are free forever. Pro adds power-user tools for people who make a lot of passwords:

  • Policy rules — force a minimum number of digits, symbols and capitals (to satisfy strict sites), and forbid repeats & sequences.
  • Labelled batch + export — generate many at once, tag each with a site name, and export to CSV, TXT or JSON.
  • Saved list — keep generated passwords on this device, with one-file backup & restore.
Get Pro →

Want to try first? Use demo code AV-PASSWORD-GEN-DEMO to preview every Pro feature on this device.

🔒
Bitwarden

Free, open-source password manager to store all your generated passwords securely.

Try Bitwarden Free
🌐
NordVPN

Protect your accounts with encrypted browsing — essential for public Wi-Fi.

Get NordVPN
🔉
DeleteMe

Remove your personal data from data brokers to reduce targeted attack risk.

Remove My Data

Why Your Passwords Probably Are Not Strong Enough

Most people underestimate how fast modern computers can guess passwords. A GPU cluster can attempt 10 billion guesses per second against a plaintext or weakly-hashed password database. An 8-character password using only letters and numbers offers about 41 bits of entropy — crackable in under two hours. Adding symbols and increasing length to 12 characters jumps to 79 bits — hundreds of years of cracking time. The difference between weak and strong is just a few more characters.

This password generator uses the browser's built-in cryptographic random number generator (crypto.getRandomValues) to produce passwords with genuine randomness — not the weaker Math.random() function used by many sites. A rejection-sampling algorithm eliminates modulo bias, so every character in the pool is equally likely to appear.

Passphrases — Strong Passwords You Can Actually Remember

A passphrase is a sequence of random words: "Coral-Tribe-Wafer-Snack-Pilot." It is longer than a typical password, making it very hard to crack, yet memorable because words are meaningful to humans. The passphrase generator uses the EFF Short Wordlist, a curated set of 1,296 common English words chosen for memorability and clarity.

Five words from this list yields 51.7 bits of entropy. Six words reach 62 bits — stronger than most 10-character random passwords. Add a number suffix and you exceed 68 bits. Eight words gives 82.7 bits, putting your passphrase in the Very Strong tier with billions of years of estimated crack time even for well-funded attackers.

Understanding the Strength Meter

The strength meter shows entropy in bits — a direct mathematical measure of randomness. More bits means exponentially more guesses required. The formula is simple: H = L × log₂(R), where L is the password length and R is the size of the character pool. A 16-character password using all four character classes has a pool of 94 characters: 16 × log₂(94) = 16 × 6.555 = 104.9 bits of entropy. That requires roughly 1021 guesses — billions of years at 10 billion guesses per second.

The meter assumes a brute-force attack. Real-world security also depends on your service's hashing algorithm: bcrypt and Argon2 slow attackers dramatically; MD5 does not. Always prefer services that store passwords with modern, slow hashing functions.

Character Classes and Pool Sizes Explained

Lowercase letters alone give a pool of 26. Add uppercase and you reach 52. Add digits for 62. Include symbols and the pool grows to 94 printable ASCII characters. Each additional character class significantly increases the entropy per character. The "exclude ambiguous" option removes O, 0, l, 1, and I — reducing the pool slightly but preventing transcription errors when you must type a password by hand.

The symbol set defaults to 22 common keyboard symbols safe for most password fields: ! @ # $ % ^ & * ( ) - _ = + [ ] { } ; : ? /. These are broadly accepted across websites and apps without causing parsing or escaping issues.

Check Your Password Against Real Data Breaches

A password can be long and random and still be unsafe if it has already leaked. Attackers rarely start by guessing — they start with "credential stuffing," replaying billions of username and password pairs collected from past breaches. This tool checks any password against the Have I Been Pwned Pwned Passwords database, which holds more than 600 million real leaked passwords. The check uses k-anonymity: your password is hashed with SHA-1 in your browser, and only the first five characters of that hash are sent to the API. The service returns every leaked hash sharing that prefix, and the final match is completed locally — so your actual password never leaves your device. It is the same privacy-preserving method password managers such as Bitwarden and 1Password use.

A Strength Meter That Detects Patterns, Not Just Length

Counting character types is easy to fool: P@ssw0rd1 looks complex but is trivial to crack because it is a dictionary word with predictable substitutions. The strength checker estimates strength the way modern tools (and the well-known zxcvbn library) do — it looks for dictionary words, keyboard walks like "qwerty", number and letter runs like "1234" or "abcd", repeated characters, repeated patterns, and embedded years, then lowers the score and tells you exactly what to fix. Generated random passwords keep their full theoretical entropy because there is nothing predictable to find; only human-chosen passwords get marked down.

One-Tap Presets and a Pro Power Pack

Quick presets configure the generator in a single tap: Max security uses every character class, Easy to read drops ambiguous characters, Easy to type sticks to letters, PIN produces a numeric code, and Memorable switches to passphrase mode. For people who create passwords in volume, the optional Pro Power Pack adds policy-rule generation (guarantee a minimum number of digits, symbols and capitals, and forbid repeats or sequences to satisfy strict corporate password fields), labelled batch generation with CSV, TXT and JSON export, and an on-device saved list with one-file backup and restore. Everything stays in your browser; nothing is uploaded.

More Free Privacy Tools

Like this tool, the rest of the AppVitamins fleet runs in your browser with nothing uploaded. Try the QR Code Generator to share Wi-Fi or links offline, PDF Local Tools to merge and split PDFs privately, or Token Tally to count tokens in AI prompts. You can also browse the AppVitamins store to own the Pro power pack as a one-time purchase or unlock everything with the All-Access pass.

Frequently Asked Questions

Is this password generator safe to use?
Yes. Passwords are generated entirely within your browser using crypto.getRandomValues(), which is the same cryptographic API used by security software. Nothing is transmitted to any server. You can disconnect from the internet and the tool still works. The source code is readable directly in your browser's developer tools.
What is entropy in bits?
Entropy measures unpredictability. Each bit of entropy doubles the number of possible passwords an attacker must try. A password with 60 bits of entropy requires roughly 259 ≈ 576 quadrillion guesses on average. The formula is: entropy = password length × log₂(pool size). Higher is always better — aim for 60+ bits for general use, 80+ for high-value accounts.
Why should I use a passphrase instead of a random password?
Passphrases are easier to remember while remaining mathematically strong. A 6-word passphrase from a 1,296-word list has 62 bits of entropy — comparable to a 10-character random password with all character types — but is far more memorable because it forms a mental image you can visualize. They are ideal for master passwords that you must type without a password manager.
What does "exclude ambiguous characters" mean?
Some characters look similar in certain fonts: the letter O and the number 0, the letter l and the number 1, and the capital letter I. Excluding them prevents transcription errors when you need to type a generated password by hand — for example, into a device that has no clipboard access. The option removes 5 characters from the pool, reducing entropy by a small but calculable amount.
Can I check if my password has been in a data breach?
Yes. Paste a password into the checker (or generate one) and use the breach check. It looks the password up in the Have I Been Pwned database of over 600 million leaked passwords using k-anonymity: your password is hashed locally and only the first five characters of the hash are sent, so the password itself never leaves your browser. If a match is found, choose a different password.
How realistic is the strength estimate?
The checker does more than count character types. It detects dictionary words, keyboard patterns, sequences, repeats and years and reduces the score accordingly, then lists the specific weaknesses it found — similar to the zxcvbn approach used by many password managers. It is an estimate, not a guarantee, so treat it as guidance rather than an exact crack time.
Advertisement