Password Generator
Secure random passwords
About This Calculator
A secure password uses a mix of uppercase, lowercase, numbers, and symbols, is at least 12 characters long, and is unique to each account. Password generators use cryptographically secure random number generators (CSPRNG) to ensure unpredictability.
Formula
Entropy (bits) = log2(charset_size ^ length) = length * log2(charset_size)
12 chars from 94-char set: log2(94^12) ≈ 78 bits entropy (very strong)
Each additional character adds log2(charset_size) ≈ 6.5 bits with full ASCII
Example Calculation
12-character password using 94 printable ASCII characters
- Entropy = 12 * log2(94) = 12 * 6.555 = 78.7 bits
- At 10^12 guesses/second, would take ~120 million years to crack
78.7 bits entropy — considered very strong
Password Entropy by Length and Charset
| Length | Lowercase only (26) | + Uppercase (52) | Full ASCII (94) |
|---|---|---|---|
| 8 | 37.6 bits | 45.6 bits | 52.4 bits |
| 10 | 47.0 bits | 57.0 bits | 65.5 bits |
| 12 | 56.4 bits | 68.4 bits | 78.7 bits |
| 16 | 75.2 bits | 91.2 bits | 104.9 bits |
| 20 | 94.0 bits | 114.0 bits | 131.1 bits |
Frequently Asked Questions
How long should a password be?
At minimum 12 characters for important accounts. 16+ characters is recommended. Length increases entropy faster than character variety — a 20-character lowercase-only password is stronger than an 8-character mixed-case password.
Should I use a passphrase instead of a random password?
Passphrases (e.g. 'correct horse battery staple') are easier to remember and can be very strong. A 4-word passphrase from a 7,776-word list has ~51 bits of entropy — comparable to a 10-char random password. Use passphrases where memorability matters.
What makes a random number generator 'cryptographically secure'?
A CSPRNG produces output that is statistically indistinguishable from true randomness and cannot be predicted even if previous outputs are known. It uses sources of system entropy (hardware events, OS noise). JavaScript's crypto.getRandomValues() and Python's secrets module are CSPRNGs.
How often should I change my passwords?
Modern guidance (NIST SP 800-63B) recommends changing passwords only when there is evidence of compromise, not on a fixed schedule. Frequent forced changes often lead to weaker passwords (users increment numbers). Use a unique strong password per account instead.