Strong Password Generator Online

About Password Generator

The 3STF Password Generator creates cryptographically secure, truly random passwords using the Web Crypto API. Unlike generators that use `Math.random()` (which is predictable and not suitable for security), this tool uses `crypto.getRandomValues`. The same CSPRNG browsers use for session tokens. Every password is generated in your browser, never transmitted, never logged. **Why password quality matters** According to Verizon's Data Breach Investigations Report, credential-based attacks are the number-one cause of account compromises. Most breaches exploit passwords that are short, predictable, or reused across multiple sites. A truly random 16-character password from a 94-symbol alphabet has roughly 105 bits of entropy. Enough to make offline brute-force attacks computationally infeasible for decades to come. **How the entropy math works** Password strength is measured in bits. A password with N bits of entropy requires on average 2^N/2 guesses to crack. Practical numbers: - 8 chars from 26-letter lowercase alphabet: 37 bits. Crackable in hours - 12 chars from 94-symbol alphabet: 79 bits. Hard but possible - 16 chars from 94-symbol alphabet: 105 bits. Infeasible offline - 20 chars from 94-symbol alphabet: 131 bits. Overkill for humans, required for keys **Recommendations by use case** - **Throwaway accounts:** 12 chars, lowercase + numbers - **Personal accounts (email, social media):** 16 chars, all character types - **Financial accounts, main email, password manager master:** 20+ chars, full alphabet - **API keys, encryption secrets:** 24-32 chars, full alphabet **Character type options** - **Uppercase A-Z**: 26 symbols - **Lowercase a-z**: 26 symbols - **Numbers 0-9**: 10 symbols - **Symbols !@#$%^&*()_+-=[]{}|;:,.<>?**. 32 symbols Each additional character type multiplies the number of possible passwords. A password with all four types has a 94-symbol alphabet. **How the generation works** 1. You pick length and alphabets 2. The tool concatenates the allowed character sets into a pool 3. It allocates a Uint32Array of N random values from `crypto.getRandomValues` 4. Each random value is mapped to a character via modulo (with rejection sampling for unbiased selection) 5. The final password is displayed, never transmitted **Why you should still use a password manager** The best password is one you don't have to remember. Generate a 20-character random password for every account, store it in a password manager (1Password, Bitwarden, KeePass), and you only memorise your master password. The master password itself should be a long passphrase: four random words concatenated give you ~50 bits of memorable entropy. **What this tool does NOT do** - It does not store your password - It does not transmit the password anywhere - It does not check the password against breach databases (use Have I Been Pwned for that) - It does not save history (generate a new password each time) **Common password policies** This generator can satisfy any common policy: - Minimum 12 chars + mixed case + digit + symbol ✓ - Microsoft / Google requirements ✓ - PCI DSS password rules ✓ - NIST SP 800-63B guidelines ✓