Password Generator

The strength meter calculates entropy using the formula H = L * log2(N), where L is the password length and N is the size of the character pool. The result in bits represents the theoretical randomness of the password. A higher entropy means more possible combinations an attacker must try. The color-coded bar maps entropy to five strength levels: Very Weak (<36 bits), Weak (<60 bits), Fair (<80 bits), Strong (<100 bits), and Very Strong (100+ bits).

The crack time assumes an attacker using a high-end GPU cluster capable of 10 billion (10^10) password guesses per second. The total keyspace is 2^entropy, and on average an attacker needs to try half the keyspace. This is a conservative estimate — online attacks are typically limited to thousands of attempts per second by rate limiting, making the actual time much longer for most real-world scenarios.

NIST SP 800-63B is the U.S. National Institute of Standards and Technology's Digital Identity Guideline. It recommends a minimum of 8 characters with no complexity requirements (no mandatory uppercase, numbers, or symbols). NIST found that complexity requirements often lead to predictable patterns (e.g., "Password1!") and that length is the primary factor in password strength. Our preset uses 16 characters with upper+lowercase for practical security.

The Korean Financial preset follows KISA (Korea Internet & Security Agency) guidelines used by Korean banks and financial institutions. It requires a minimum of 10 characters with at least 2 different character types (uppercase, lowercase, numbers, symbols). Our preset configures 12 characters with all four character types enabled to exceed the minimum requirements comfortably.

For most purposes, 16 characters with all character sets enabled provides excellent security (approximately 105 bits of entropy). For high-security applications like master passwords, encryption keys, or API secrets, use 24-32 characters. The minimum of 4 characters is provided for PIN-like use cases, but passwords shorter than 12 characters are not recommended for general use.

Very secure. The passwords use crypto.getRandomValues(), the same CSPRNG used for TLS encryption and WebAuthn. Each character is independently and uniformly selected from the chosen character set. With default settings (16 chars, all character sets), you get approximately 105 bits of entropy, which would take billions of years to crack even with the most powerful GPU clusters.

Yes. Use the quick batch buttons (1, 5, 10, 20, 50) or enter a custom count up to 50. Each password is generated independently with full cryptographic randomness. Each password shows its own mini strength indicator, and the "Copy All" button copies all passwords separated by newlines for easy import into a password manager or distribution.

No. All passwords exist only in your browser's memory while the page is open. They are never transmitted to any server, written to disk, stored in cookies, or logged in any way. The strength analysis is also computed entirely client-side. Once you navigate away or close the tab, everything is gone from memory.

Math.random() is NOT suitable for security purposes — it uses a non-cryptographic PRNG that can be predicted if an attacker observes enough outputs. crypto.getRandomValues() uses the OS's cryptographic random number generator, which is unpredictable by design. This tool exclusively uses crypto.getRandomValues() to ensure every generated password is truly secure.