This page contains a strong random password generator. The password is generated in your browser and never sent over the Internet.
What is a good random password like?
State-of-the-art password guessing software is able to guess passwords up to about 14-16 characters (as of 2017). Unfortunately, this is more than most people can remember. For most non-critical Internet services, shorter passwords (e.g., eight random characters, or three random words) are usually enough.
If you are generating passwords for servers or other security-critical applications, we recommend using the maximum length passwords (16 characters).
Online password generator
What if you don't like the generated password?
If you don't like the generated password, you can always generate a new one. You might want to do this, for example, if the words seem hard to remember. Just click
Generate password again, as many times as you like. Theoretically selecting from multiple passwords makes them a bit weaker, but in practice this does not matter.
If you need a password with special characters, keep clicking on the
Generate password button until the generated password contains a special character. You can also take just part of the generated password, and add your own characters for extra security.
How this random password generator works
For the technically minded people, here is how this strong password generator works:
- Approximately 120 bits of randomness is fetched from https://www.random.org. This ensures good password quality even with old browsers.
- 128 bits of cryptographic quality random data is added from your web browser (window.crypto.getRandomValues). Modern browsers support this, but older browsers do not. This random data ensures security of the password even against parties capable of reading HTTPS-encrypted data.
- 32-bits of non-cryptographic quality randomness is added from your web browser (Math.random), just as an extra security measure.
- The random data from all three sources is concatenated, and the SHA256 hash function is used to derive a raw password from them.
- The result is truncated to your requested password length (96, 64, or 48 bits, based on strength).
- The truncated value is encoded either using BASE64 encoding (with = characters removed from the end) or by using a dictionary of 65536 words to encode each 16 bit group into a random word.
- The resulting password is then displayed.
Other password generators
Norton Password Generator
The Norton password generator is part of Norton's IdentitySafe suite. It's main difference to our generator is that the Norton password generator generates the password on the server (June 2017). This means that the method they use for generating the password cannot be independently verified, and anyone capable of breaking HTTPS encryption will be able to read the password while it is transmitted over the network. It is known that many governments routinely break HTTPS by using fake certificates or weaknesses in the SSL and TLS protocols. Consequently, we do not recommend using the Norton Password Generator.
XKCD Random Password Generator
The XKCD Random Password Generator does not use any cryptographic entropy on the client side. While it gets some entropy from the server, its source and quality is not known. The fact that no client-side cryptographic entropy is included suggests limited of knowledge of cryptography and randomness. The generated passwords (four-word combinations) contain less than 44 bits of randomness. This is too little - it is even less than our Weak passwords. Such passwords can be broken with brute force attacks in relatively short time. However, worst of all, it does not use HTTPS and sends the generated passwords over the network in the clear (June 2017). Thus, we absolutely do not recommend using the XKCD Random Password Generator. You can generate stronger passwords consisting of words using the password generator on this page.
Secure Password Generator
The so called Secure Password Generator at http://passwordsgenerator.net/ suffers from several weaknesses. Most importantly, it generates the password on a server using an AJAX call, and transmits the password over the internet WITHOUT ENCRYPTION. This, almost anyone can see your password from the network and intelligence agencies are likely to record such traffic (June 2017). Furthermore, the password is generated on the server, with no means of verifying how it is generated. Thus, we absolutely do not recommend using it for generating any passwords.