Password Generator — Create Strong Random Passwords

Password entropy is calculated as: entropy (bits) = length × log2(character pool size). Each character you add multiplies the total search space by the size of the pool. A 12-character password using only lowercase letters (pool size 26) has approximately 56 bits of entropy — borderline for current attack capabilities. Adding uppercase letters expands the pool to 52, yielding about 68 bits. Including digits (pool 62) gives around 71 bits, and adding symbols (pool ~94) raises this to about 79 bits. Doubling the length from 12 to 24 characters doubles the entropy, reaching 158 bits with a full symbol set — well beyond the reach of any conceivable brute-force attack. The key insight is that length has a larger impact on entropy than character set variety. A 20-character lowercase-only password (94 bits) is harder to crack than a 10-character password with all character types (66 bits).

The National Institute of Standards and Technology (NIST) publishes Special Publication 800-63B, "Digital Identity Guidelines: Authentication and Lifecycle Management," which provides authoritative guidance on password policies. Key recommendations include: require a minimum of 8 characters, allow up to at least 64 characters to support passphrases, permit all printable ASCII characters including spaces, check new passwords against lists of commonly used and compromised passwords (such as the HaveIBeenPwned database), and do not require periodic password changes unless there is evidence of compromise. NIST explicitly discourages arbitrary complexity rules such as "must contain at least one uppercase, one digit, and one symbol" because they lead users to choose predictable patterns (e.g., Password1!) that satisfy the rules while being easy to guess. Instead, NIST recommends prioritizing length over complexity rules. This tool follows NIST guidance by allowing flexible character set selection rather than enforcing rigid composition rules.

A password manager stores all your credentials encrypted behind a single master password. This allows you to use a unique, randomly generated password for every account without needing to memorize them. Popular options include Bitwarden (open-source, free tier available), 1Password, Dashlane, and the built-in password managers in browsers and operating systems (Apple Keychain, Google Password Manager). The master password should be a memorable passphrase — four or more random words — rather than a complex short string, since you must type it from memory. Enable two-factor authentication (2FA) on your password manager account using an authenticator app or hardware key for an additional layer of protection. Never store passwords in plain text files, spreadsheets, or notes apps, which lack encryption and are frequently synced to unencrypted cloud storage.

Credential stuffing attacks take username-password pairs leaked from one breached service and automatically test them against hundreds of other sites. If you reuse the same password across multiple accounts, a single breach can cascade into a full account takeover across your digital life. Using a unique, randomly generated password for every account completely eliminates this risk — even if one site is breached, the exposed credentials are useless everywhere else. Services like HaveIBeenPwned (haveibeenpwned.com) allow you to check whether your email address or specific passwords have appeared in known data breaches. Many password managers integrate this check automatically and alert you when stored credentials are found in newly disclosed breaches. Prioritize changing passwords for financial, email, and identity-related accounts first when a breach notification is received.