Password Generator

Yes — password generation runs 100% in your browser using the Web Crypto API's cryptographically secure random number generator. No passwords are ever sent to a server, stored in a database, or transmitted over the network. The optional 'Check My Password' breach check uses Have I Been Pwned's k-anonymity API — only the first 5 characters of a SHA-1 hash are sent (never your actual password), making it mathematically impossible to reverse. Standard anonymous page analytics (Google Analytics) apply to all pages on the site, but no tool-specific data — passwords, images, palettes, etc. — is ever collected or transmitted.

The strength meter calculates entropy (randomness) based on the character pool size and password length. It also detects common weaknesses like dictionary words, keyboard patterns (qwerty, asdf), sequential characters (abc, 123), repeated characters, and common substitutions (p@ssw0rd). The final score combines mathematical entropy with pattern penalty analysis.

A passphrase is a password made of random dictionary words, like 'correct-horse-battery-staple'. Passphrases are easier to remember than random character strings but can be just as secure — a 5-word passphrase from our 7,776-word list has about 64 bits of entropy, equivalent to a 10-character random password.

No. Generated passwords exist only in your browser's memory. The optional history feature is kept in memory only — it's cleared when you close or refresh the tab. We have zero server-side storage — there is no database, no analytics on generated passwords, and no way for anyone (including us) to see what you generate.

A strong password has high entropy — meaning it's truly random and drawn from a large pool of possible characters. Length matters more than complexity: a 16-character password with lowercase letters only (77 bits) is stronger than an 8-character password with uppercase, lowercase, numbers, and symbols (52 bits). Avoid dictionary words, personal information, and common patterns.

Yes! Once the page loads, password generation and strength checking work without an internet connection. The only feature that requires connectivity is the optional breach check (which queries Have I Been Pwned's API). You can even save the page for offline use.

We calculate how long it would take to try every possible combination at different attack speeds: online attacks (1,000 guesses/sec with rate limiting), offline attacks against fast hashes like MD5 (100 billion/sec), and GPU cluster attacks (1 trillion/sec). The estimate assumes brute force — real attacks using dictionaries or patterns would be faster for weak passwords.

We use the EFF (Electronic Frontier Foundation) Diceware long word list containing 7,776 carefully selected English words. Each word adds approximately 12.9 bits of entropy. The list was designed specifically for generating secure, memorable passphrases.

Yes! This is a V1 release and we're actively improving it based on user feedback. If you have suggestions, find a bug, or want a new feature, please visit our Community Feedback page at aguidetocloud.com/feedback/ — every piece of feedback is read and acted on.