iToolVerse Logo
iToolVersev4.6

Password Generator

Secure random passwords, EFF Diceware passphrases, and PINs — with real entropy + zxcvbn scoring

Generate cryptographically random passwords using window.crypto.getRandomValues(the browser's CSPRNG) with rejection sampling to avoid modulo bias. Pick between random characters (4-64 chars, all four classes, shell-safe option), EFF Diceware passphrases (7,776-word list, 3-10 words), or a numeric PIN. Every output shows real entropy in bits, a zxcvbn strength score, and an estimated crack time. Runs entirely in your browser — no upload, no history, no signup.

Generate a secure password

Cryptographically random (uses crypto.getRandomValues) — generated entirely in your browser.

Excludes backticks, quotes, backslash, $, ;, |, & — safe to paste in shells and SQL

How this generator stays secure

Cryptographic RNG. Every character is drawn from window.crypto.getRandomValues, the browser's built-in CSPRNG. We use rejection sampling to avoid modulo bias.

Runs locally. No password leaves your browser; nothing is sent to a server. The page works fully offline once loaded.

No history.Generated passwords are not stored anywhere — not in localStorage, not in a database. Once you navigate away, they're gone.

Open source. The generation logic is in app/generator/password-generator/_lib/and is audit-friendly — no external API calls.

Recommended lengths

Bank / email / password manager20+
General websites16+
Throwaway accounts12+
Passphrase (any account)5+ words
PIN (phone unlock)6+

Password recipes by use case

Different accounts need different defaults. These are the settings most security-conscious teams converge on. Example values are illustrative — don't reuse them; generate your own above.

Bank / password-manager master

20+ chars

High-stakes account — wraps everything else. Use a passphrase you can type from memory.

compass-bridge-pottery-meridian-slate-7

≈ 71 bits via 5 EFF words + 2-digit pad. Typeable; memorable after a day or two of use.

Standard website (password-manager filled)

16 chars

Most accounts — you never type these, the manager autofills.

r5#qPzM2j&Lk0xVe

≈ 105 bits with all four character classes. Resists offline brute-force for past-the-heat-death-of-the-sun timescales.

Throwaway / disposable account

12 chars

Forum signup, newsletter, anything you don't care about losing.

jL7@kQp3#WnZ

≈ 79 bits. Still strong; the floor is "won't collapse in a credential-stuffing attack."

SSH / GPG key passphrase

passphrase

Local-only — typed by you when you unlock the key. Long passphrase beats a random 12-char here.

mountain.breeze.sandwich.octave.terminal.lantern

6 EFF words = ~77 bits. Local brute-force is bounded by the key-derivation function inside SSH/GPG, so length matters more than character variety.

Service account / DB credential

shell-safe

Pasted into a connection string, .env file, or shell command. Avoid characters that need escaping.

P9wK2mNxR7vQ8tLs

All 4 classes minus shell-unsafe symbols (no backticks, quotes, backslash, $, ;, |, &). Safe to paste into psql, JDBC URLs, .env files.

Phone / device unlock PIN

PIN 6

Numeric keypad only. Combined with device-side rate limiting, 6 digits is the sweet spot.

847362

6 digits = ~20 bits. Device limits (wipe-after-N-fails on iOS / Android) make this enough; without rate limiting it'd be very weak.

Related tools

Hash Calculator
MD5, SHA-1, SHA-256, SHA-512, SHA-3 and HMAC for text or files — plus a verify mode that auto-detects the algorithm from a published hash
Username Generator
Platform-validated usernames for Instagram, TikTok, X, Twitch, Discord, GitHub, Roblox, Reddit. Nine styles (Random, Catchy, Gaming, Professional, Aesthetic, Music, Animals, Space, Food) drawing from 50-80 curated words per theme. ✓/✗ badges + one-click availability checks. Favorites with JSON export.
QR Code Generator
Create custom QR codes for URLs, text, WiFi and more
VPC Subnet Calculator
IPv4 + IPv6 CIDR calculator with VLSM, per-provider reserved IPs, Terraform / CloudFormation / Pulumi export, and AWS sizing cheat sheet
Regex Tester
Test and validate regular expressions with real-time highlighting
Lorem Ipsum Generator
Generate placeholder text for design mockups

Password reference

The math behind password strength, how the three generation modes differ, and what the security industry recommends in 2026 — including the parts that have changed since the old “rotate every 90 days” era.

Bits of entropy: the only honest strength number

For a uniformly-random password drawn from a charset of size N with length L, entropy in bits is L × log₂(N). This is the number an attacker has to beat: with b bits of entropy, the attacker needs roughly 2^(b−1) guesses on average.

ConfigurationCharset sizeLengthEntropy
Lowercase only26837.6 bits
Lowercase + digits361262 bits
All 4 classes941278.7 bits
All 4 classes9416104.9 bits
All 4 classes9420131.1 bits
EFF passphrase (5 words)7,7765 words64.6 bits
EFF passphrase (6 words)7,7766 words77.5 bits
PIN (4 digits)10413.3 bits
PIN (6 digits)10619.9 bits

Threshold rules of thumb:< 28 bits cracked instantly · 28-35 minutes-to-hours · 36-59 fair · 60-127 strong · 128+ cryptographic-key strong.

When to use each mode

Standard

Random characters from a configurable charset. Use for: any account stored in a password manager, service account credentials, API tokens (if not provided by the platform), encryption keys you have to memorize 16+ chars.

Passphrase

Random words from the EFF-large list. Use for: master passwords (password manager, disk encryption, SSH key passphrase) — anything you need to actually remember and type by hand. 5-6 words is the sweet spot.

PIN

Digits only. Use for: device unlocks, SIM cards, ATM cards, anything constrained to a numeric keypad. 6 digits minimum; 4-digit PINs are basically unprotected (13 bits) against any attacker with access to the device.

2017+ NIST guidance (still current in 2026)

NIST's SP 800-63B is the modern reference. Highlights:

  • Length over complexity. A long passphrase beats a short, complex password.
  • Don't rotate on a schedule.Rotation only when there's evidence of compromise. Forced periodic rotation produces weaker passwords (people append a digit).
  • No composition rules.Forcing “at least one uppercase, one symbol” barely helps and pushes users toward predictable patterns (Password1!).
  • Block known-breached passwords using databases like haveibeenpwned.com.
  • Allow paste. Sites that block paste actively prevent password-manager use.
  • Multi-factor wherever possible, especially for email and password-manager accounts (the root accounts).

What this generator does well — and what it doesn't do

Does well
  • ✓ Uses crypto.getRandomValues (CSPRNG), not Math.random()
  • ✓ Rejection sampling — no modulo bias
  • ✓ Deterministic character-class coverage, no infinite recursion
  • ✓ EFF-large word list (7,776 words) for proper Diceware passphrases
  • ✓ Real entropy calculation, not heuristic strength score
  • ✓ zxcvbn-ts pattern detection for non-generated passwords
  • ✓ Runs 100% in browser, no upload
Doesn't do (by design)
  • ✗ Store / sync your passwords (use a password manager)
  • ✗ Check against breach databases (use haveibeenpwned.com)
  • ✗ Generate cryptographic keys (use a CLI tool with proper key derivation)
  • ✗ Hash passwords for server storage (use bcrypt / Argon2id server-side)
  • ✗ Bulk-generate hundreds at a time — paste into a password manager and let it do it

References & further reading

  • NIST SP 800-63B — Digital Identity Guidelines (Authentication and Lifecycle Management)
  • EFF Long Wordlists eff.org/dice — the 7,776-word list used here
  • Diceware— Arnold Reinhold's original 1995 passphrase method
  • zxcvbn— Dropbox's pattern-based password-strength estimator (this tool uses the maintained zxcvbn-ts port)
  • haveibeenpwned.com— Troy Hunt's breach lookup service
  • RFC 4086 — Randomness Requirements for Security (why CSPRNGs matter)

Frequently Asked Questions

CSPRNG vs Math.random, bits of entropy, EFF Diceware, zxcvbn scoring, modern NIST guidance.