Password Generator
Generate cryptographically secure passwords using Python's secrets module. Passwords are generated server-side and are never stored or logged.
Password Security Standards
NIST SP 800-63B (2017) and the updated 2024 revision fundamentally changed password best practices. Modern guidance prioritizes length over complexity, eliminates mandatory rotation (unless breached), and encourages use of password managers over memorization. The most important factor in password security is now entropy - A product of length and character set size.
Password Security Tips
- Use a unique password for every account
- Aim for at least 16 characters with mixed character types
- Store passwords in a reputable password manager
- Enable two-factor authentication wherever available
- Never reuse a password that appeared in a breach
Brute-Force Time by Password Length and Character Set
Estimated time to exhaust all combinations at 10 billion guesses per second (GPU attack on fast hash)
Password Entropy by Length and Character Set
| Length | Lowercase (26) | Mixed case + digits (62) | Full ASCII (95) |
|---|---|---|---|
| 8 | 38 bits | 48 bits | 53 bits |
| 10 | 47 bits | 60 bits | 66 bits |
| 12 | 56 bits | 71 bits | 79 bits |
| 14 | 66 bits | 83 bits | 92 bits |
| 16 | 75 bits | 95 bits | 105 bits |
| 20 | 94 bits | 119 bits | 131 bits |
| 24 | 113 bits | 143 bits | 157 bits |
Why Random Passwords Are Better
Humans are predictable. Studies of leaked password databases consistently show that human-chosen passwords cluster around patterns - Sports teams, pet names, keyboard walks, and birth years. Attackers use wordlists, rule-based mutations, and Markov models to exploit these patterns. A truly random password from a cryptographic generator cannot be predicted or optimised against.
| Method | Example | Effective Entropy | Memorability |
|---|---|---|---|
| Human-chosen | Summer2024! |
Low (~20 bits actual) | Easy |
| Random password | xQ4!mR9#wLz2 |
High (~79 bits) | Requires password manager |
| Random passphrase | purple lamp river song oak |
Good (~65 bits) | Moderate - Possible to remember |
Frequently Asked Questions
NIST recommends a minimum of 8 characters but security researchers suggest 14-16 as the practical minimum for important accounts. For accounts protecting financial assets, email (which enables password resets), and health information, use 20+ characters. If you use a password manager, 20 characters with the full character set costs you nothing extra.
Yes, unequivocally. The single biggest improvement most people can make to their security is adopting a password manager. It enables truly unique, random passwords for every account without the cognitive burden of memorizing them. Popular options include Bitwarden (open source, free), 1Password, and KeePassXC (offline, local).
This generator produces passwords server-side over HTTPS and displays them once - They are immediately discarded and never stored in any database or log. For maximum security, consider an offline generator or your password manager's built-in generator, which never sends the password over any network.
NIST 2024 guidance recommends against mandatory periodic rotation unless there is reason to believe a password has been compromised. Changing passwords regularly with no suspected breach often leads to weaker incremental passwords (Summer2024 → Summer2025) rather than genuinely new secure ones. Focus on using strong, unique passwords and monitoring for breaches instead.