Password Generator
Generate cryptographically secure passwords with custom length and character sets. All computation happens locally in your browser — nothing is sent to any server.
Password Generator
Generate strong, crypto-secure passwords instantly.
What is a secure password?
A secure password is one that is difficult to guess or crack through automated attacks. The two main properties that determine password security are length and randomness. A long password built from truly random characters is exponentially harder to break than a short password — even a complex-looking one.
The problem with passwords humans create is that they aren't random. We use dictionary words, names, dates, keyboard patterns, and substitutions (like p@ssw0rd) that attackers know to try first. A password generator using cryptographic randomness produces combinations with no predictable patterns.
Password entropy — why length wins
Entropy measures how unpredictable a password is, expressed in bits. Each bit of entropy doubles the number of guesses an attacker needs. Here's how different configurations compare:
| Configuration | Charset size | Length | Entropy (bits) | Crack time (estimate) |
|---|---|---|---|---|
| Lowercase only | 26 | 8 | ~38 bits | Minutes |
| Lowercase + numbers | 36 | 10 | ~51 bits | Hours |
| Mixed case + numbers | 62 | 12 | ~71 bits | Months |
| Full charset (all types) | 95 | 16 | ~105 bits | Centuries |
| Full charset | 95 | 24 | ~157 bits | Heat death of the universe |
How does HexScan generate passwords?
This tool uses the crypto.getRandomValues() Web Cryptography API, which is available in all modern browsers. This API draws from the operating system's cryptographically secure random number generator (CSPRNG) — the same source used to generate TLS keys, session tokens, and cryptographic nonces.
It does not use Math.random(), which is a pseudorandom generator not suitable for security purposes. The difference matters: Math.random() outputs are predictable if you know the seed; crypto.getRandomValues() outputs are not.
How are passwords stored — MD5, bcrypt, and Argon2
Even a perfect password is useless if the service storing it handles it poorly. When a website stores your password, it should never store the plaintext — it should store a hash. Not all hashing algorithms are equal:
- MD5 / SHA-1 — Never acceptable for passwords. These are fast hashing algorithms, meaning GPUs can test billions of guesses per second against them.
- bcrypt — Acceptable. Designed to be slow. Has a cost factor that can be increased over time. Widely supported. Limit: max 72 bytes input.
- Argon2id — Current best practice. Winner of the Password Hashing Competition (2015). Resistant to both GPU and side-channel attacks. Use this in new projects.
- scrypt / PBKDF2 — Acceptable alternatives. PBKDF2 is FIPS-approved, useful in regulated environments.
Best practices for using generated passwords
- Use a unique password for every service. If one is breached, others remain safe.
- Store passwords in a reputable password manager (Bitwarden, 1Password, KeePassXC) — never in a text file, browser notes, or email draft.
- Use 16+ characters for regular accounts, 24+ for email and financial accounts.
- Enable two-factor authentication (2FA) wherever possible. A strong password plus 2FA is dramatically more secure than a strong password alone.
- Never reuse passwords across sites — this is the most common cause of account takeovers after a breach.