DevPick
日本語

Password Generator

16
103.4 bitVery Strong
Crack time: 409 billion years
Passwords are never sent to any server

What Is a Password Generator?

A password generator creates unpredictable passwords using cryptographically secure random numbers. This tool uses the WebCrypto API (CSPRNG: Cryptographically Secure Pseudo-Random Number Generator) and processes everything in your browser. Generated passwords are never sent to any server. You can customize the length, character types (uppercase, lowercase, digits, symbols), and see real-time entropy and estimated crack time.

What Makes a Password Strong (How Entropy Works)

Password strength is measured by "entropy" — a value in bits. Higher entropy means exponentially more guesses required for an attacker to crack your password. Formula: Entropy = Length × log₂(Character Set Size) For example, a 16-character password with uppercase + lowercase + digits + symbols (95 chars) has about 105 bits of entropy. At 1 trillion guesses per second, this would take billions of years to crack. An 8-character password, however, has only ~52 bits and could be cracked in hours. Recommended: 80+ bits (achievable with 16 characters using all 4 character types).

Why You Should Never Use AI (ChatGPT) to Generate Passwords

In February 2026, security firm Irregular published research proving that passwords generated by large language models (LLMs) like ChatGPT and Claude are fundamentally weak. When asked to generate passwords 50 times, Claude produced only 23 unique passwords, with the same strings repeating 10-18 times. The estimated entropy was approximately 27 bits — dramatically lower than the ~98 bits achievable with cryptographic random generators (WebCrypto API). This is a design limitation of LLMs. They generate output by predicting the most probable next token from a probability distribution — the opposite of true randomness. Increasing the temperature parameter does not fix this fundamental issue. For password generation, always use tools powered by WebCrypto API (CSPRNG), like this one.

How to Create Strong Passwords

The safest way to create a password is with a cryptographic random generator. Human-created "random" passwords always contain patterns and biases. You don't need to memorize auto-generated passwords. Store them in a password manager (1Password, Bitwarden, etc.) and remember only your master password — this is modern best practice. If you must memorize a password, try "Passphrase" mode. A passphrase of 4-6 random words is both more secure and easier to remember than a short, complex password.

Frequently Asked Questions

How do I create a strong password I can remember?
The safest method is to use a cryptographic random generator like this tool. If you need something memorable, try the "Passphrase" mode. A passphrase combines random words (e.g., correct-horse-battery-staple) and is both high-entropy and easy to remember — often more secure than a short, complex password.
Are auto-generated passwords safe?
Passwords generated by this tool use the WebCrypto API (CSPRNG), the most secure random generation method recommended by security experts. However, you should not use AI tools like ChatGPT or Claude to generate passwords. A 2026 study by Irregular found that AI-generated passwords have only ~27 bits of entropy, compared to ~98 bits from cryptographic random generators — making them significantly weaker.
How is password strength measured?
Password strength is measured in "entropy" (bits). Entropy is calculated from the character set size and password length. For example, a 16-character password using uppercase, lowercase, digits, and symbols (~95 characters) has about 105 bits of entropy. Generally, 80+ bits is recommended for strong security.
Is an 8-character password safe?
An 8-character password is not considered safe by 2026 standards. Even with all character types (uppercase, lowercase, digits, symbols), an 8-character password has only about 52 bits of entropy. With GPU-accelerated brute force attacks (1 trillion guesses per second), it could be cracked in hours to days. We recommend at least 16 characters.
Are generated passwords sent to any server?
No, absolutely not. All processing happens entirely in your browser. The WebCrypto API is a built-in browser feature that requires no network communication. DevPick servers never receive, store, or log any passwords generated by this tool.
What's the difference between a password and a passphrase?
A password is a random combination of characters (e.g., xK9$mP2v), while a passphrase is a random combination of words (e.g., correct-horse-battery-staple). Passphrases are longer and thus have high entropy, but are easier to remember because they use real words. This tool uses the EFF Diceware wordlist (7,776 words) — 4 words give ~51.7 bits and 6 words give ~77.5 bits of entropy.