Entropy = L × log₂(N) — Length & Variety
16+ chars, mixed types. Entropy bits, crack time. crypto.getRandomValues().
✨ The Fun Behind This
Why It's Fun
Entropy measures unpredictability. More bits = exponentially harder to brute-force.
How It Works
H = L × log₂(N). Full charset ≈ 94. 16 chars × log₂(94) ≈ 105 bits. crypto.getRandomValues() for security.
Key Insights
- ●NIST: min 8 chars for user-chosen, 6 for random. Length matters most.
- ●94^16 ≈ 3.7×10³¹ combinations. More than atoms in the human body.
- ●XKCD: 4 random words can be stronger than "Tr0ub4dor&3".
Generate Strong Passwords
Customize length, character sets, and get entropy + crack time estimates. Cryptographically secure.
🔐 Quick Examples — Click to Load
Settings
Choose password length (8–128 chars), character types, and how many passwords to generate. Select at least one character type.
For educational and informational purposes only. Verify with a qualified professional.
🎲 Fun Facts
Full charset: 26+26+10+32 ≈ 94 symbols.
— Combinatorics
"Correct Horse Battery Staple" — XKCD popularized passphrases.
— XKCD 936
Uses crypto.getRandomValues() — cryptographically secure.
— Web API
📋 Key Takeaways
- • Entropy measures password unpredictability: H = L × log₂(N). More bits = harder to crack.
- • Use at least 12 characters (16+ recommended) with mixed character types for strong passwords.
- • Avoid dictionary words — random strings are far stronger than "Password123!"
- • Use a password manager to store unique passwords for each site.
💡 Did You Know?
📖 How It Works: Entropy & Security
Entropy quantifies how many possible combinations exist. Formula: H = L × log₂(N), where L = length, N = character set size. A 16-char password with 94 symbols has 16 × log₂(94) ≈ 105 bits.
Character Set Sizes
Uppercase: 26 | Lowercase: 26 | Numbers: 10 | Symbols: ~32. Full set ≈ 94. Excluding ambiguous (0,O,l,1) reduces slightly.
Crack Time Estimates
Assuming ~10 billion guesses/second (typical GPU cluster): 40 bits ≈ minutes, 60 bits ≈ years, 80+ bits ≈ centuries. Real attackers use optimized tools — use 80+ bits for critical accounts.
Password Managers
Store generated passwords in a password manager (1Password, Bitwarden, LastPass). Use a strong master password and enable 2FA. Never reuse passwords across sites.
🎯 Expert Tips
💡 Length > Complexity
A 20-char lowercase password can be stronger than 12 chars with symbols. Length exponentially increases combinations.
💡 Use for Each Site
Generate a unique password per account. One breach won't compromise others.
💡 API Keys & Tokens
For API keys, use 32–64 chars. More length = more security for long-lived secrets.
💡 Exclude Ambiguous
When typing on mobile or sharing, exclude 0,O,l,1 to avoid confusion.
⚖️ Entropy by Configuration
| Config | Charset Size | 16-char Entropy | Crack Time |
|---|---|---|---|
| Lowercase only | 26 | 75 bits | Years |
| Lower + Upper | 52 | 91 bits | Centuries |
| + Numbers | 62 | 95 bits | Centuries |
| + Symbols (full) | 94 | 105 bits | Beyond practical |
Entropy = length × log₂(charset size). Doubling length adds 1 bit per character; doubling charset adds 1 bit per character.
📝 Step-by-Step: How Passwords Are Generated
1. Build character set: Combine selected types (uppercase, lowercase, numbers, symbols). If "exclude ambiguous" is on, remove 0,O,I,l,1 from respective sets.
2. Generate random bytes: Use crypto.getRandomValues() to get cryptographically secure random numbers for each character position.
3. Map to characters: For each position, take randomByte % charsetSize to pick a character. Append to password.
4. Compute entropy: H = length × log₂(charsetSize). Example: 16 chars, 94 symbols → 16 × 6.55 ≈ 105 bits.
5. Estimate crack time: At 10^10 guesses/sec, 2^entropy / 10^10 seconds. 60 bits → 2^60 / 10^10 ≈ 10^8 years.
❓ Frequently Asked Questions
How strong should my password be?
For most accounts, 12–16 characters with mixed types (80+ bits entropy) is sufficient. For email, banking, or work: 16+ chars, 90+ bits.
What is entropy?
Entropy (in bits) measures unpredictability. Formula: length × log₂(charset size). 128 bits = 2^128 combinations to try.
Is this generator secure?
Yes. It uses crypto.getRandomValues(), the Web Crypto API's cryptographically secure random number generator. Passwords are generated in-browser and never sent anywhere.
Should I use symbols?
Symbols increase charset size and thus entropy. But length matters more — a 20-char alphanumeric can beat 12-char with symbols.
What are ambiguous characters?
0 (zero) vs O (letter), 1 (one) vs l (lowercase L). Excluding these helps when typing on phones or reading aloud.
How many passwords should I generate?
Generate one per account. Use "Number of passwords" to get several options and pick one you haven't used.
Can I use this for WiFi?
Yes. WPA2 supports 8–63 characters. Use 20+ chars with all character types for strong WiFi security.
What about passphrases?
Passphrases (e.g., "correct-horse-battery-staple") can be strong if words are random. This tool generates random strings; for passphrases, use a dedicated passphrase generator.
Can I use custom symbols only?
No — you must select at least one of uppercase, lowercase, numbers, or symbols. Custom symbols add to the symbol set; they don't replace it.
Why is my strength score low?
Short passwords or limited character sets reduce entropy. Use 16+ chars with all four character types for 90+ strength.
Is it safe to generate passwords on public WiFi?
Yes. Generation happens entirely in your browser. Nothing is sent over the network. Still, copy and store in a password manager promptly.
📊 Security Stats
📚 Sources
🎯 Use Cases
Website & App Logins
16+ chars, all character types. Generate one per account. Store in a password manager.
API Keys & Tokens
32–64 chars for long-lived secrets. Full charset. High entropy critical.
WiFi Passwords
20+ chars, WPA2 compatible. Exclude ambiguous if typing on phones to share with guests.
PINs & Short Codes
8–12 digits only for PINs. Lower entropy but acceptable for secondary auth.
🔒 Advanced Security Notes
Hashing vs Encryption: Websites should store password hashes (bcrypt, Argon2), not plain text. A breach of hashed passwords still requires cracking each hash — strong passwords resist this.
Rainbow Tables: Precomputed hash tables can crack weak passwords instantly. Random, high-entropy passwords are immune to rainbow table attacks.
Phishing: No password strength helps if you enter it on a fake site. Always verify URLs. Use a password manager to auto-fill only on correct domains.
Two-Factor Authentication: Enable 2FA (TOTP, hardware keys) wherever possible. A strong password + 2FA is far more secure than password alone.
⚠️ Common Password Mistakes
⚠️ Disclaimer: This tool generates passwords locally in your browser. Never share generated passwords. Use a password manager to store them securely. We do not store or transmit any generated passwords.
Related Calculators
Bingo Number Generator
Generate and track bingo numbers for 75-ball (US) and 90-ball (UK) games. Auto-call speeds, bingo card display, call history, and remaining numbers.
QuirkyCoin Flip Simulator
Flip a coin with statistics tracking. See heads/tails percentages, streaks, and probability analysis up to 100,000 flips.
QuirkyDice Roller Calculator
Roll dice with statistics. Supports d4, d6, d8, d10, d12, d20, d100. Track frequency, averages, and probability.
QuirkyLottery Number Generator
Generate random lottery numbers for Powerball, Mega Millions, Pick 3, Pick 4, and custom games. Includes odds calculations.
QuirkyPIN Generator Calculator
Generate random PIN numbers with customizable length, quantity, and security options. Strength rating, combinations possible, and crack time estimates.
QuirkyPoker Hand Probability Calculator
Calculate odds of poker hands in Texas Hold'em, 5-Card Draw, and Omaha. Hand strength, pot odds, and expected value.
Quirky