XConvert
Downloads
Pricing

Generate Passwords Online

Create a new password quickly with our online password generator, then copy it or download it for use in your accounts.

812816

How to Generate a Strong Password Online

  1. Set Length: Drag the Length slider or type a value (typical range 8-64; default is around 16). NIST SP 800-63B Rev. 4 requires user-selected passwords to be at least 15 characters when used as the sole authenticator, and randomly generated passwords (like these) to be at least 8 — go longer than the minimum whenever the target system permits.
  2. Pick Character Classes: Toggle Uppercase (A-Z), Lowercase (a-z), Digits (0-9), and Symbols (!@#$%^&* and similar). Enabling all four gives ~95 printable ASCII chars and the highest entropy per character. Disable a class only if the destination system rejects it (some legacy banking and SAP systems still block certain symbols).
  3. Exclude Ambiguous Characters (Optional): Flip the toggle to drop look-alike glyphs — 0/O, 1/l/I, and similar pairs — when you'll be typing the password by hand, reading it off a screen, or dictating it (Wi-Fi setup, IoT device pairing, kiosks). Skip this for passwords going straight into a password manager.
  4. Generate, Copy, Save: Click Generate (or Regenerate for a fresh one), watch the entropy meter (Weak / Fair / Strong / Very Strong with bits shown), then Copy and paste straight into Bitwarden, 1Password, Apple Passwords, or your browser's built-in manager. Generation runs entirely in your browser via window.crypto.getRandomValues() — nothing is sent to xconvert, logged, or cached on disk.

Why Use a Random Password Generator?

Human-chosen passwords are predictable. Even "complex" passwords like P@ssw0rd2026! follow patterns crackers know — capital-then-lowers, leetspeak substitutions, a trailing year, a trailing symbol — and Hashcat rule sets crack them in minutes on a single consumer GPU. A truly random 16-character password with the full ASCII set gives roughly 105 bits of entropy, which is well beyond the reach of any current or projected brute-force attack. The point of a generator isn't novelty; it's removing the human bias that makes "strong-looking" passwords weak in practice.

  • One unique password per account — Credential stuffing (replaying leaked username/password pairs against other sites) is the single most common attack vector today. Have I Been Pwned tracks over 13 billion compromised credentials. A unique random password per site means one breach can't cascade.
  • Master password for your password manager — Bitwarden, 1Password, KeePassXC, and Apple Passwords all need one strong human-memorable secret. Generate a 5-6 word passphrase you can actually remember, or a 20+ character random string you'll keep on a recovery card in a safe.
  • API keys, webhook secrets, JWT signing keys — Machine-to-machine credentials never get typed, so crank length to 32-64 chars with all symbols. Higher entropy costs nothing when no human reads it.
  • Wi-Fi (WPA2/WPA3 PSK) — WPA2 supports 8-63 ASCII characters; 20+ random chars with ambiguous-character exclusion is a good fit since guests may need to type it. Pair with the QR Code Generator so guests scan instead of type.
  • Encryption passphrases for FileVault, BitLocker, LUKS, age, GPG — These guard data at rest and face offline attacks where the attacker can throw unlimited compute at the hash. Aim for 100+ bits of entropy (16+ random ASCII chars or 7+ random Diceware words).
  • Account-recovery secondary codes — When a site asks for a backup or recovery password, generate one and store it in your password manager rather than reusing or memorizing.

Password Strength by Length and Character Set

Entropy is calculated as L × log2(C) where L is length and C is character-set size. Each bit doubles the search space; ~80 bits resists online attacks indefinitely, ~100 bits resists offline GPU attacks, ~128 bits is overkill for anything short of nation-state actors.

Length Lowercase only (26) Letters + digits (62) Full ASCII (95) Rating
8 chars 37.6 bits 47.6 bits 52.6 bits Weak — crackable offline in hours
12 chars 56.4 bits 71.5 bits 78.8 bits Fair — fine for low-value online accounts
14 chars 65.8 bits 83.4 bits 92.0 bits Strong — bitwarden's default length
16 chars 75.2 bits 95.3 bits 105.2 bits Strong — recommended baseline
20 chars 94.0 bits 119.1 bits 131.4 bits Very Strong — master passwords, encryption keys
32 chars 150.4 bits 190.6 bits 210.3 bits Very Strong — API keys, infra secrets

Passphrase vs Random Characters (XKCD 936)

XKCD 936 popularized the idea that "correct horse battery staple" beats Tr0ub4dor&3 — and the math holds, but only when the words are picked randomly from a known list (typically the 7,776-word Diceware list, giving log2(7776) ≈ 12.92 bits per word).

Style Example Entropy Memorize? Type on phone?
4 random Diceware words cleric.tundra.bagel.zigzag ~51.7 bits Easy Slow
6 random Diceware words airship velvet quiet brick zest moss ~77.5 bits Doable Slow
8 random Diceware words oak prowl epoxy yacht crisp luge nimbus jolt ~103.4 bits Hard Painful
12 random ASCII chars K7$mPq2#Lw9! ~78.8 bits No Painful
16 random ASCII chars aR4!nQ7$mPq2#Lw9 ~105.2 bits No Painful
20 lowercase letters xkldqzmrnpvtbyhgowfs ~94.0 bits No OK

Use a passphrase when a human must type or recall it (master passwords, disk encryption). Use a random string for everything that lives in a password manager.

Frequently Asked Questions

Is this password generator cryptographically secure?

Yes. It uses window.crypto.getRandomValues(), the Web Crypto API's CSPRNG, which is seeded from the operating-system entropy source — /dev/urandom on Linux, BCryptGenRandom on Windows 10+, and SecRandomCopyBytes on macOS/iOS. This is the same source used for TLS session keys, SSH key generation, and JWT signing nonces. It is fundamentally different from Math.random(), which is a deterministic PRNG (typically xorshift128+ in modern V8) explicitly documented by MDN as "not safe to use for anything related to security." Bytes are mapped to the character set with rejection sampling so there is no modulo bias.

Why 15 characters minimum in 2026 — didn't 8 used to be fine?

NIST SP 800-63B Revision 4 (published 2024) raised the minimum length for passwords used as the sole authenticator to 15 characters; randomly generated passwords like the ones this tool produces have an 8-character floor. The change reflects GPU cracking economics: an RTX 4090 can test roughly 200 billion MD5 hashes/sec and ~5 billion bcrypt-cost-5 hashes/sec, so any 8-character password from a known character set falls in days or less. 15+ random characters with the full ASCII set takes the search space beyond what any current or near-future hardware can chew through.

Are special characters required for a strong password?

No — and NIST SP 800-63B Rev. 4 explicitly says verifiers "SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords." Length contributes more entropy per character added than any composition rule contributes overall. A 20-character lowercase-only password (94 bits) is stronger than a 12-character password with all four classes (78.8 bits). Enable symbols when the site allows them — but don't sacrifice length to fit a "must include a symbol" rule on a short password.

Passphrase or random characters — which should I pick?

If you need to remember or type it (master password, disk encryption, screen-lock PIN-replacement), use a passphrase — six random Diceware words ≈ 77.5 bits is memorable and strong. If it goes straight into a password manager and you'll never see it again, use random characters at 16+ length so each character carries more entropy than a Diceware word. XKCD 936's math is correct: 4 random words ≈ 51.7 bits, which beats a typical user-chosen "complex" 8-char password but is below modern minimums for high-value accounts on its own.

Why exclude ambiguous characters like 0/O and 1/l/I?

In most sans-serif fonts (and many serif ones), capital O and zero, lowercase L and capital I and the digit 1, and sometimes 5/S or 8/B are visually indistinguishable. That's a non-issue when the password lives in your clipboard, but it becomes a real problem when you're reading the password off a screen to type into a TV's Wi-Fi setup, dictating it over the phone to a support tech, or writing it on a recovery card. Excluding ambiguous chars removes about 6-10 characters from a 95-char set — roughly 0.1 bits of entropy per character, which you can recover by adding one extra character to the length.

Where should I save the generated password?

A dedicated password manager. Top free options in 2026: Bitwarden (open source, cross-platform, free tier covers unlimited passwords), Apple Passwords (built into iOS 18 / macOS Sequoia and later, syncs via iCloud Keychain), and KeePassXC (offline, local file). Paid: 1Password (individual plan $2.40/mo billed annually, $3.99/mo billed monthly). Avoid saving generated passwords in browser-only stores without a master password set, in plain-text files, or in note-taking apps without end-to-end encryption.

Can xconvert see the passwords I generate?

No. All generation runs in your browser via the Web Crypto API. The password string is created in JavaScript memory, displayed in the page DOM, and written to your clipboard when you click Copy — none of it is sent to a server, written to localStorage, or logged in analytics. You can verify by opening DevTools → Network and clicking Generate: there are no outbound requests. For extra confidence, load the page once, disconnect from the internet, and generation still works.

What if a site rejects my generated password?

The most common rejections: password contains a character the site bans (often <, >, ", \, or space — Regenerate with symbols off or a custom set), password is too long (some legacy systems truncate at 16 or 20 chars), or the site silently strips whitespace/special chars and your password manager then sees a mismatch on next login. When a site truncates or rejects, generate a fresh password at the longest allowed length using only letters and digits — 20 alphanumeric chars still gives ~119 bits of entropy.

Can I generate other kinds of secrets here?

Yes — xconvert has dedicated tools for related needs: UUID Generator for v4/v7 identifiers, Hash Generator for MD5/SHA-1/SHA-256 digests, and JWT Decoder for inspecting signed tokens. For machine credentials (API keys, webhook secrets), prefer length 32-64 with all classes enabled since no human ever types them.

Image Tools

Image CompressorCompress JPEGCompress PNGCompress GIFCompress WebPImage ConverterJPG ConverterImage Resizer

Video Tools

Video CompressorCompress MP4MP4 to GIFVideo to GIFVideo ConverterMP4 ConverterVideo Cutter

Audio Tools

Audio CompressorCompress MP3Compress WAVAudio ConverterMP3 ConverterFLAC to MP3Audio Cutter

Document Tools

Compress PDFMerge Images to PDFSplit PDFPDF to JPGUnzip FilesRAR Extractor
© 2026 XConvert.com. All Rights Reserved.
About UsPrivacy PolicyTerms of ServiceContactHelp Us Grow