Password & Secret Generator
Generate cryptographically secure passwords, passphrases, and API keys. All generation happens entirely in your browser — nothing is ever sent to a server.
Quick Presets
All passwords and passphrases are generated in your browser using the cryptographically secure crypto.getRandomValues() API. No passwords are sent to any server.
The passphrase generator downloads a 146,000-word dictionary (~1 MB) from our server on first use. The word list stays in your browser's memory and is not sent back — only the download itself touches the network.
Why Strong Passwords Matter
Weak passwords remain one of the most common causes of account compromises. Modern graphics processing units (GPUs) can test billions of password guesses per second against stolen password hashes. A simple eight-character lowercase password has fewer than 209 billion possible combinations — a high-end GPU cluster can exhaust that search space in under a minute.
As the length and character variety of a password grows, the time required to brute-force it increases exponentially. A 20-character password drawn from uppercase letters, lowercase letters, digits, and symbols has roughly 9520 possible values — a number so large that even distributed cracking hardware would require billions of years to exhaust it.
For services hosted with NetOz — including shared hosting cPanel accounts, VPS root passwords, SSH keys, and API tokens — using a strong, unique password for each service is essential. A compromised hosting credential can expose every file, database, and email account on that server. A 20-character random password generated here costs nothing and provides an enormous security margin.
Approximate brute-force timelines (consumer hardware, bcrypt)
Password Entropy Explained
Password strength is measured in bits of entropy. Entropy quantifies unpredictability: a password with N bits of entropy requires, on average, 2N−1 guesses to crack through brute force. Each additional bit of entropy doubles the difficulty.
The formula is straightforward: entropy = length × log₂(charset_size). A 20-character password drawn from a 94-character set (upper, lower, digits, symbols) yields approximately 131 bits of entropy. Contrast this with a 20-character password using only lowercase letters (26 characters), which gives roughly 94 bits — still strong, but noticeably weaker.
Security experts generally recommend:
- Below 28 bits — Weak. Crackable in seconds to minutes.
- 28–60 bits — Fair to Good. Suitable for low-value accounts with rate limiting.
- 60–128 bits — Strong. Appropriate for most online accounts.
- 128+ bits — Very Strong. Suitable for encryption keys, root passwords, and high-value credentials.
This tool displays the entropy estimate for every generated password. The entropy shown is calculated from the actual character set used — not just the theoretical maximum — giving you an accurate picture of real-world strength.
Passphrases vs Passwords
The webcomic xkcd famously illustrated that "correcthorsebatterystaple" — four random common words strung together — is both easier to memorise and harder to brute-force than a cryptic eight-character substitution like "Tr0ub4dor&3". This is the core idea behind diceware passphrases.
A passphrase's strength depends on the word list size. This tool loads a 146,000-word English dictionary, providing roughly log₂(146,606) ≈ 17.2 bits per word. Four words gives ~69 bits of entropy; six words exceeds 103 bits — comparable to a 16-character fully random password. Even a small 300-word fallback list provides ~8.2 bits per word.
Passphrases shine in situations where you must type or remember a credential — server console access, encryption passphrases for GPG keys or SSH private keys, and password manager master passwords. For credentials stored in a password manager, a fully random high-entropy password remains the best choice.
The passphrase generator on this page loads a 146,000-word English dictionary (~1 MB) on demand from our server — the list stays in your browser's memory and is never sent back. Word selection uses crypto.getRandomValues() — the same Web Crypto API used by the password generator, ensuring no bias or predictability.
For NetOz customers: consider a passphrase for your SSH private key passphrase (used locally and never transmitted), and a long random password for your cPanel, WHM, or hosting control panel login. Use your password manager to store both, and enable two-factor authentication wherever available.