Secure Password Generator

100% client-side • Cryptographically secure • No data sent online

16 characters
Include Symbols:
Include Numbers:
Include Lowercase:
Include Uppercase:
Exclude Similar Characters:
Exclude Ambiguous Characters:
Auto-Select Password:
Save My Preferences:
Copied! 🔐 On-device generation
Copied!
Strength:
Remember it:
Use the first letter of each word in a memorable sentence.

Password Security FAQ

How long should a secure password be?

A secure password should be at least 16 characters long. For critical accounts (banking, email, work), use 20+ characters. The longer the password, the harder it is to crack — a 20-character password with all character types has over 130 bits of entropy, making it virtually impossible to brute-force.

Is it safe to use an online password generator?

Yes — when generation happens entirely on your device. This generator uses the browser's built-in Web Crypto API (crypto.getRandomValues()), which produces cryptographically secure random values. No password is ever transmitted over the internet or stored on any server.

What makes a password strong?

A strong password has high entropy — randomness that makes it hard to guess or brute-force. Key factors: length (16+ characters), character variety (uppercase, lowercase, numbers, symbols), no dictionary words, and no personal information (names, birthdays, phone numbers).

Should I use the same password for multiple accounts?

Never. If one account is compromised, attackers use that password to access all your other accounts — this is called credential stuffing. Each account must have a unique, strong password. Use a trusted password manager to store them securely.

How often should I change my passwords?

Change passwords every 10–12 weeks, or immediately after a suspected breach. Always enable two-factor authentication (2FA) for an extra security layer — even if your password is leaked, attackers won't be able to log in without the second factor.

40+ Password Security Tips

To prevent your passwords from being hacked by social engineering, brute force, or dictionary attacks, and to keep your online accounts safe:

  1. Do not use the same password, security question, and answer for multiple important accounts.
  2. Use a password that has at least 16 characters, including at least one number, one uppercase letter, one lowercase letter, and one special symbol.
  3. Do not use the names of your family members, friends, or pets in your passwords.
  4. Do not use postcodes, house numbers, phone numbers, birthdates, ID card numbers, social security numbers, and so on in your passwords.
  5. Do not use any dictionary word in your passwords.
    Examples of strong passwords: ePYHc~dS*)8$+V-', qzRtC{6rXN3N\RgL, zbfUMZPE6`FC%)sZ.
    Examples of weak passwords: qwert12345, 1234567890, nortonpassword.
  6. Do not use two or more similar passwords where most characters are the same — for example, ilovefreshflowersMac and ilovefreshflowersDropBox. If one is stolen, all are compromised.
  7. Do not use something that cannot be changed as your password, such as your fingerprints.
  8. Do not let web browsers (Firefox, Chrome, Safari, Edge) store your passwords, since passwords saved in browsers can be revealed easily.
  9. Do not log in to important accounts on other people's computers, or when connected to a public Wi-Fi hotspot, Tor, free VPN, or web proxy.
  10. Do not send sensitive information over unencrypted connections (HTTP or FTP). Use HTTPS, SFTP, FTPS, SMTPS, and IPSec whenever possible.
  11. When travelling, encrypt your internet connections before they leave your device. Set up a private VPN with WireGuard, IKEv2, or OpenVPN on your own server.
  12. How secure is your password? If a hacker has stolen your password's MD5 hash from a server, and their rainbow table contains it, your password can be cracked instantly. Check with the MD5 Hash Generator.
  13. It's recommended to change your passwords every 10 weeks.
  14. Encrypt and store other passwords in a plain text file using 7-Zip, GPG, or disk encryption software such as BitLocker. Alternatively, use a trusted password manager.
  15. Encrypt and back up your passwords to multiple locations. If you lose access to your computer or account, you can retrieve them quickly.
  16. Turn on 2-step verification (2FA) wherever possible — authenticator apps are more secure than SMS codes.
  17. Do not store your critical passwords in the cloud without strong encryption.
  18. Access important sites (e.g. PayPal) from bookmarks directly. Always verify the domain name carefully to avoid phishing sites.
  19. Protect your computer with a firewall and antivirus software. Download software only from reputable sites and verify checksums (MD5/SHA256) or GPG signatures.
  20. Keep operating systems and web browsers up-to-date with the latest security patches.
  21. If important files are on a computer others can access, check for hardware keyloggers, software keyloggers, and hidden cameras when necessary.
  22. Wi-Fi signals can reveal what you type by detecting hand gestures. Use an on-screen keyboard for entering passwords in sensitive environments.
  23. Lock your computer and mobile phone whenever you step away.
  24. Encrypt your entire hard drive with VeraCrypt, FileVault, LUKS, or similar tools before storing important files.
  25. Access important websites in private/incognito mode, or dedicate one browser to important sites and another for general browsing.
  26. Use at least 3 different email addresses: one for important sites (banking, PayPal), one for unimportant sites, and one at a different provider to receive password-reset emails in case the first is compromised.
  27. Use at least 2 different phone numbers. Do not share the number you use to receive SMS verification codes.
  28. Do not click links in emails or SMS messages to reset passwords, unless you are certain those messages are legitimate.
  29. Do not share your passwords with anyone by email, text, or messaging apps.
  30. Be careful of supply-chain attacks: only install software from official, verified sources. Prefer web-based apps where possible.
  31. Be careful with online paste tools and screen capture tools — do not let them upload your passwords to the cloud.
  32. If you are a webmaster, never store users' passwords, security questions, or answers in plain text. Store salted hash values (SHA-256 or SHA-512) with a unique random salt per user. Also log device information and ask for re-verification when device info changes.
  33. If you are a software developer, sign update packages with a private key using GnuPG and publish the public key so users can verify authenticity.
  34. To keep your online business safe, register your own domain name and host your email on it — your email account can never be disabled by a third-party provider.
  35. If an online store only accepts credit cards, use a virtual credit card instead to limit exposure.
  36. Close your web browser when you leave your computer — open browser sessions can have cookies hijacked via USB devices, bypassing two-step verification.
  37. Distrust and remove bad SSL certificates from your browser. Bad certificates break the confidentiality of HTTPS connections.
  38. Encrypt the entire system partition, or disable the pagefile and hibernation functions — important data may be recoverable from pagefile.sys and hiberfil.sys.
  39. To prevent brute-force login attacks on servers, install intrusion detection software such as Fail2Ban or LFD (Login Failure Daemon).
  40. Where possible, prefer cloud-based software over locally installed apps to reduce exposure to supply-chain attacks.
  41. Periodically generate MD5 or SHA-1 checksums of all files on your computer and compare against a previously saved baseline to detect tampering or malware.
  42. Large organizations should implement AI-based intrusion detection systems including network behavior anomaly detection.
  43. Allow only whitelisted IP addresses to connect to or log in to critical servers and computers.
⇧ Return to Top