Password generators all produce something like aB3$k9#mQ2. It looks secure. It's 10 characters with uppercase, lowercase, digits, and symbols. According to most password meters, it's "strong." In practice, it's weaker than a 20-character lowercase phrase.
Length Beats Complexity
Entropy is measured in bits. Each character in a password adds entropy based on the size of the character set. A 10-character password with 4 character types adds about 60 bits of entropy. A 20-character lowercase password adds about 94 bits.
The longer password is harder to crack despite using only lowercase letters. Entropy scales with length faster than with character set size. One extra lowercase character adds 4.7 bits. One extra symbol adds about 1 bit because the symbol set is small.
The practical advice: use passphrases. Four random words from a 7776-word diceware list give you about 51 bits of entropy. Five words give you 64 bits. Six words give you 77 bits. A six-word passphrase is easier to type and remember than aB3$k9#mQ2.
This is why sites that enforce "must include one uppercase, one lowercase, one digit, one symbol" are working against their own goal. The constraints reduce the search space. A password that must include all four types has fewer valid combinations than one that allows any characters.
Here's how different password types compare:
| Type | Example | Length | Entropy (bits) |
|---|---|---|---|
| Random mixed | aB3$k9#mQ2 |
10 | ~60 |
| Random mixed | aB3$k9#mQ2eX7$pL1 |
16 | ~96 |
| Lowercase only | correct horse battery staple |
28 | ~94 |
| Diceware passphrase | valid-outer-queen-north |
4 words | ~51 |
| Diceware passphrase | valid-outer-queen-north-weekly-storm |
6 words | ~77 |
The 16-character random string and the 28-character lowercase phrase have similar entropy. One is impossible to remember. The other is four ordinary words.
How Most Generators Miss the Point
Most password generators optimize for "looks secure" rather than "is secure." They enforce one of each character type, which reduces the search space. They produce passwords that are hard to type on mobile devices. They avoid words because words look guessable, even though four random words are harder to crack than eight random characters.
A good password generator lets you choose between three modes:
- A memorable passphrase
- A random string
- A PIN for less sensitive accounts
The password generator on this site uses your browser's crypto API for randomness and supports all three. Nothing gets sent to a server — it all runs locally.
The Reuse Problem
No password generator can fix the reuse problem. A strong password reused across 50 sites is weak. The first site that gets breached exposes your password for all the others.
A password manager solves this. It generates unique passwords for every site and stores them encrypted. You only need to remember one master password. The password generator is a tool for creating individual passwords, but it works best paired with a password manager for storage and autofill.
One thing password managers don't solve: checking whether your passwords have appeared in known breaches. The NIST SP 800-63B guidelines recommend comparing passwords against a list of known compromised values. Some password managers do this automatically. If yours doesn't, it's worth running your passwords through haveibeenpwned separately.
The math of password security is clear. 20 random characters is technically better than a passphrase. But the passphrase is what people will actually use, and a used passphrase beats a complex password that gets written on a sticky note.