Password Generator
Generate secure random passwords instantly.
Generating API keys or webhook secrets?
Recuro provides secure token management and lets you configure custom headers for every scheduled HTTP request.
What makes a strong password?
Password strength comes from unpredictability, measured in bits of entropy. A password drawn uniformly at random from a large character set has high entropy because an attacker cannot narrow down the possibilities. Length is the single most important factor — doubling the length squares the number of possible passwords.
Using a mix of character types (uppercase, lowercase, numbers, symbols) increases the alphabet size and therefore the entropy per character. A 12-character password using all four sets (~95 characters) has about 79 bits of entropy. The same length using only lowercase letters (~26 characters) has only 56 bits.
For most online accounts, 60-80 bits of entropy is sufficient because login systems enforce rate limiting and lockouts. For offline attacks (where an attacker has a hash database), aim for 80+ bits. API keys and webhook secrets should be 128+ bits (32+ characters from a full character set).
Generating API keys or webhook secrets for your scheduled jobs? Recuro provides secure token management and lets you configure custom headers for every scheduled HTTP request.
Frequently Asked Questions
How secure are these passwords?
Passwords are generated using crypto.getRandomValues(), the same cryptographically secure pseudorandom number generator (CSPRNG) used by browsers for TLS connections. No Math.random() or predictable seed is involved. The security of the generated password depends on its length and character set — the entropy meter shows exactly how strong each password is.
What is password entropy?
Entropy measures the randomness of a password in bits. It is calculated as log2(charset_size ^ length). A password with 40 bits of entropy has 2^40 (~1 trillion) possible combinations. For online attacks with rate limiting, 40-60 bits is adequate. For offline attacks against hashed passwords, aim for 80+ bits. Each additional character adds log2(charset_size) bits of entropy.
Should I use a passphrase instead?
Both random passwords and passphrases are valid approaches. Passphrases (like "correct-horse-battery-staple") are easier to remember and type but need to be longer to achieve the same entropy. Random passwords are more compact but require a password manager. For machine-to-machine secrets like API keys, random passwords are preferred.
⌘Enter to run · ⌘⇧C to copy