Generate & Check
Secure Passwords

Create strong, cryptographically random passwords in seconds. Check if your password has appeared in a data breach, analyze its strength, and build memorable passphrases — all processed entirely in your browser. Nothing is ever stored or transmitted.

100% Client-Side No Account Needed Breach Detection PIN Generator Passphrase Builder
Password Generator
Move the slider to generate a password…
Copied! Copy Password
20
1 char128 chars
Character Sets
— / 4
Estimated Crack Time
Entropy
Data Breach Checker

Uses the HaveIBeenPwned k-anonymity API — your actual password never leaves your browser.

How it works: Your password is hashed with SHA-1. Only the first 5 characters of that hash are sent to the API. The full hash and your password are never transmitted — this is called k-anonymity.

Memorable Password

Type any word or phrase — converted into a stronger password using letter substitutions like a→@, o→0, i→!, e→3.

— / 4
Estimated Crack Time
Entropy

Substitution Map

a@
e3
i!
o0
s$
t7
l1
g9
b8
z2
h#
x*
A4
E3
I1
O0
Password Strength Checker
Estimated Time to Crack
Online 100/hour
Online 10/sec
Offline Fast Hash
Offline Slow Hash
Entropy
Guesses
Character Breakdown
Total Length
Uppercase (A–Z)
Lowercase (a–z)
Numbers (0–9)
Special (!@#…)
Unique Chars
PIN Generator

Generates cryptographically random PINs of 4, 6, 8 and custom lengths. Useful for bank PINs, device lock codes and access codes.

6
4 digits16 digits
Drag slider to generate custom PIN…
Copied! Copy PIN
Regenerate All

Security note: All PINs are generated using crypto.getRandomValues() — the same cryptographic API used by your browser for secure operations. No patterns, no repetition.

Passphrase Generator
Move the slider to generate a passphrase…
Copied! Copy Passphrase
New Passphrase
5
3 words10 words
Capitalize first letter of each word
— / 4
Estimated Crack Time
Entropy

How to Use

Password Generator
  1. Set the length — drag the Password Length slider left or right. The number updates live and a new password generates instantly with every movement. Start at 16 or higher for strong passwords.
  2. Choose character sets — four chips control which characters are included: A–Z uppercase letters, a–z lowercase letters, 0–9 digits, and !@#$%^&* symbols. Click any chip to toggle it on or off. At least one chip must remain active at all times.
  3. Read the strength meter — below the password you will see a coloured bar and label (Very Weak → Weak → Fair → Strong → Very Strong), a score out of 4, the estimated crack time, and entropy in bits. These update automatically on every slider move or character set change.
  4. Copy the password — click the copy icon on the right of the password display. A "Copied!" tooltip confirms the password is on your clipboard. Paste it straight into your password manager.
Best practice: Use at least 16 characters with all four character sets enabled. A random 16-character password with mixed characters has over 100 bits of entropy — effectively uncrackable with current technology. Never reuse the same password across multiple sites.
Data Breach Checker
  1. Enter your password — type or paste the password you want to check into the input field. Click the eye icon on the right to reveal or hide the characters as you type.
  2. Run the check — press Enter on your keyboard or click the blue Check for Data Breaches button. A spinner appears while the lookup runs.
  3. Read the result — a red badge shows how many times it was found in known breaches. A green badge means it was not found in any of the 800 million+ compromised passwords in the database.
  4. Take action — if the password is breached, stop using it immediately. Switch to the Generator tab to create a strong replacement, then update it in your password manager and on the affected site.
How privacy is protected: Your password is hashed with SHA-1 inside your browser. Only the first 5 characters of that hash are sent to the HaveIBeenPwned API. Your actual password and full hash never leave your device — this technique is called k-anonymity.
Memorable Password
  1. Type your base word or phrase — enter any word, name, or short phrase you can easily remember, such as your pet's name, a favourite place, or a lyric fragment. The longer the phrase, the stronger the result.
  2. Pick a substitution levelBasic replaces only the most common letters (a→@, o→0, i→!, e→3, s→$). Full applies a broader set of substitutions including uppercase variants (t→7, l→1, g→9, b→8 and more). The substitution map at the bottom of the card shows every replacement.
  3. Choose what to append — the Append dropdown adds random digits or a symbol at the end. Options are nothing, 2 random digits, 4 random digits, or 1 random symbol. Adding digits significantly increases entropy.
  4. Copy the result — the converted password appears in the display box. Click the copy icon to send it to your clipboard. The strength meter below shows how strong the result is.
Tip: A longer input phrase always produces a stronger result. Try a full sentence like ILoveCoffee — with Full substitution and 2 appended digits it becomes something like !L0v3C0ff33 plus two random digits, which scores Strong while remaining memorable.
Password Strength Checker
  1. Type or paste any password — start typing in the input field and the full analysis appears immediately. Every keystroke updates the results in real time so you can watch the score change as you add characters or symbols.
  2. Understand the strength bar — the four coloured bars represent the score from 0 (Very Weak) to 4 (Very Strong). The label and score badge below the crack time give you a clear verdict at a glance.
  3. Study the crack time grid — four scenarios are shown: online attack throttled at 100 attempts per hour, online attack at 10 attempts per second, offline fast hash, and offline slow hash. The slow hash figure is the most realistic worst case for a properly stored password.
  4. Review the character breakdown — a panel shows total length, uppercase, lowercase, digits, special characters, and unique character count. Non-zero counts are highlighted in blue; a low unique-character ratio is shown in red.
  5. Follow improvement suggestions — if your password is weak, a panel lists specific actions such as adding symbols, avoiding common words, or increasing length.
Note: The analysis uses the zxcvbn library by Dropbox, which detects dictionary words, common substitutions (p@ssw0rd), keyboard patterns (qwerty), date formats, and repeated characters. A password that looks complex can still score low if it follows a predictable pattern.
PIN Generator
  1. Use the preset cards — when you open the PIN tab, four cards are generated automatically for 4-digit, 6-digit, 8-digit and 10-digit PINs. Each card has its own copy icon so you can grab any one immediately.
  2. Generate a custom length PIN — drag the Custom PIN Length slider to any value between 4 and 16 digits. The custom PIN updates on every slider movement.
  3. Copy your PIN — click the copy icon next to a preset card to copy that specific PIN, or use the copy icon in the main display box for your custom PIN.
  4. Regenerate all PINs — click the refresh icon in the custom PIN display to regenerate all four preset cards and the custom PIN at once.
Security note: All PINs are generated using crypto.getRandomValues() — the browser's cryptographically secure random number generator, far stronger than Math.random(). A 4-digit PIN has only 10,000 possible values — use 6 digits or more wherever the service allows it.
Passphrase Generator
  1. Set the word count — drag the Number of Words slider to choose between 3 and 10 words. A new passphrase generates automatically. More words means exponentially more entropy — 5 words gives roughly 60 bits, 7 words gives roughly 84 bits.
  2. Choose a word separator — the dropdown lets you pick how words are joined: dash, dot, underscore, space, at sign, hash, exclamation mark, or no separator. A non-letter separator adds entropy and satisfies many password policies.
  3. Append numbers — the Append Numbers dropdown adds 0, 1, 2, or 4 random digits to the end. Appending even 2 digits meaningfully increases the number of possible combinations.
  4. Toggle capitalisation — makes each word start with an uppercase letter (e.g. Tiger-Cloud-River). Many sites require at least one uppercase character, so this keeps the passphrase compliant.
  5. Copy the passphrase — click the copy icon. The strength meter and entropy reading update each time a new passphrase is generated.
Why use a passphrase? A 5-word passphrase like Tiger-Cloud-River-Boot-42 is easier to type and remember than xK!9mP#2qL, yet has comparable or greater entropy. Ideal for master passwords, Wi-Fi keys, and any credential you need to type from memory.

Frequently Asked Questions

Is this password generator safe to use?
Yes — completely. Every password is generated directly inside your browser using the Web Cryptography API (crypto.getRandomValues()). No password, input, or result is ever sent to our servers, logged, stored in a database, or transmitted over the network in any form. You can disconnect from the internet after the page loads and every tool will continue to work exactly the same way. The source code runs entirely client-side and can be inspected in your browser's developer tools at any time.
Does the Data Breach Checker send my password to any server?
No. The checker uses a technique called k-anonymity. Your browser converts your password into a SHA-1 hash and then sends only the first 5 characters of that hash to the HaveIBeenPwned API. The API returns all hash suffixes that match those 5 characters — typically hundreds of them. Your browser then checks locally whether your full hash is in that list. Your actual password and the remaining 35+ characters of the hash never leave your device, making it mathematically impossible for the API to know which password you checked.
How long should my password be?
For most online accounts, 16 characters with a mix of uppercase, lowercase, digits and symbols is a solid minimum. For highly sensitive accounts such as banking, email, or your password manager master password, aim for 20 characters or more. Length is the single biggest factor in password strength — each extra character multiplies the number of possible combinations by the size of the character set. A 16-character random password from a 94-character set has over 10²⁸ possible combinations, which would take billions of years to brute-force even with specialised hardware.
What is password entropy and why does it matter?
Entropy measures how unpredictable a password is, expressed in bits. A password with N bits of entropy means an attacker must make up to 2ᴺ guesses to crack it. It is calculated as: length × log₂(character set size). For example, a 16-character password using all 94 printable ASCII characters has 16 × log₂(94) ≈ 104 bits of entropy. In practical terms: 40 bits is weak, 60 bits is reasonable, 80 bits is strong, and 100+ bits is considered very strong against all known attacks.
Is a passphrase stronger than a random password?
It depends on word count and word list size. A 5-word passphrase from a 1,000-word list has log₂(1000⁵) ≈ 50 bits of entropy, while a 12-character random password from 94 characters has ≈ 79 bits. However, a 7-word passphrase reaches about 70 bits and is far easier to type and remember. Passphrases shine when you must memorise the credential — master passwords, device PINs, and Wi-Fi keys. For passwords stored in a password manager, short random passwords are equally fine because you never need to type them.
What do "Very Weak", "Weak", "Fair", "Strong", "Very Strong" mean?
These labels come from the zxcvbn library which scores passwords from 0 to 4. The library models realistic attacker behaviour including dictionary attacks, common substitutions, keyboard patterns, and date formats. Very Weak (0) — crackable instantly. Weak (1) — crackable in seconds to minutes. Fair (2) — takes hours to days. Strong (3) — takes months to years under offline attack. Very Strong (4) — effectively uncrackable with current technology. Always aim for Strong or Very Strong for any real account.
Should I use a password manager?
Yes — a password manager is the single most impactful security improvement most people can make. It allows you to use a unique, long, random password for every account without needing to remember any of them. The most common cause of account compromise is reusing the same password across multiple sites (credential stuffing). Popular options include Bitwarden (free and open source), 1Password, and KeePassXC. Use our generator to create a strong unique password for each site and save it in your manager.
What is the difference between a fast hash and a slow hash attack?
When a website stores passwords, it should hash them using a slow algorithm like bcrypt, Argon2, or scrypt. These are deliberately slow — limiting an attacker who has stolen the hash database to thousands of guesses per second. A fast hash (like MD5 or unsalted SHA-1) can be computed billions of times per second on consumer GPUs, meaning even a 10-character password can be cracked in minutes. The "Offline Slow Hash" column assumes bcrypt-style protection; "Offline Fast Hash" is the worst case if the site stored passwords carelessly.
Copied!