What is a cryptographically secure random number generator?

A cryptographically secure random number generator (CSPRNG) is an algorithm that produces numbers that are statistically random and computationally unpredictable. Unlike basic random number generators (which are fine for games but not security), a CSPRNG cannot be reverse-engineered even if an attacker knows previous outputs. PasswordCrunch.com uses the browser's built-in Web Crypto API (window.crypto.getRandomValues), which is a CSPRNG compliant with security standards.

What is credential stuffing and how do strong passwords prevent it?

Credential stuffing is an attack where hackers take username and password combinations leaked from one data breach and automatically try them on other services. It works because most people reuse passwords across sites. Using a unique, randomly generated password for every account completely blocks this attack — even if one account is compromised, the credentials cannot be used anywhere else.

How is a PIN different from a password?

A PIN (Personal Identification Number) is a short numeric code, typically 4 to 8 digits, used alongside a physical device or card. PINs are secure in that context because they are locked to hardware — too many wrong guesses triggers a lockout. They are not secure as standalone online passwords because a 4-digit PIN has only 10,000 possible combinations, which can be guessed instantly by a computer.

Can I use this tool to generate passwords for multiple accounts at once?

Yes. The Bulk Password Generator tab lets you generate up to 50 unique, random passwords at once using your current settings. This is useful when setting up a new password manager, rotating credentials after a breach, or managing passwords for multiple accounts. Each password is generated independently using the browser's cryptographic random number generator.

Password Generator — Strong, Random Passwords Instantly

Free Password Generator

PasswordCrunch.com is a free, browser-based tool that generates cryptographically secure passwords, passphrases and PINs. All generation happens locally on your device using the Web Crypto API — no data is ever sent to a server, stored or logged. Use it to create strong random passwords for any account, generate memorable passphrases, produce numeric PINs, or instantly check the strength of an existing password.

Generated locally in your browser using the Web Crypto API. Never sent to any server.

Password Generator

Generate a strong, random password using your browser's cryptographically secure random number generator. Set the length (we recommend at least 16 characters) and choose which character types to include. Your password is generated instantly and never leaves your device.

Generating...

Length Longer = stronger

Uppercase letters A–Z

Lowercase letters a–z

Numbers 0–9

Symbols !@#$%^&*...

Exclude ambiguous Removes 0 O o l 1 I | etc.

Number of passwords

Passphrase Generator

A passphrase is a sequence of random words used as a password — for example, copper-falcon-river-42. Four randomly chosen words provide roughly 50 bits of entropy, making a passphrase both highly secure and far easier to remember than a string of random characters. Security researchers and NIST guidelines recommend passphrases as a practical alternative to complex passwords.

Generating...

Number of words

Separator

Capitalise first letter e.g. Apple-Rocket

Append a number e.g. apple-rocket-42

PIN Generator

Generate a random numeric PIN of 4, 6 or 8 digits. PINs are used alongside physical devices and cards where hardware lockout protects against brute-force attacks. Each PIN is generated using a cryptographically secure random number generator, so the result is statistically unpredictable.

——

PIN length

Bulk Password Generator

Generate up to 50 unique, random passwords at once — useful for populating a password manager, rotating credentials after a data breach, or provisioning multiple accounts. Each password is independently generated using the browser's Web Crypto API and uses the settings from the Password Generator tab.

Number of passwords Up to 50 at once

Uses your Password Generator settings. Switch to the Password tab to adjust length and character options.

Password Strength Checker

Type or paste any password to get an instant strength rating based on its entropy — a measure of how many possible combinations an attacker would need to try to crack it. The checker scores passwords as Weak, Fair, Strong or Very Strong and estimates how long a brute-force attack would take. Everything runs in your browser; the password you type is never sent anywhere.

Type or paste any password to check it instantly. Nothing leaves your browser.

—

Enter a password above to see how it scores and how to improve it.

Frequently Asked Questions

How do I create a strong password?

A strong password is at least 16 characters long and combines uppercase and lowercase letters, numbers and symbols. Avoid anything personal like names, birthdays or common words. The best approach is to use a password generator like this one so the result is truly random and unpredictable.

What makes a password secure?

Security comes down to length, randomness and uniqueness. A longer password has exponentially more possible combinations, making it far harder to crack. Random characters are harder to guess than patterns or words. And using a unique password for every account means one breach can't expose everything else.

What is a passphrase and is it safer than a password?

A passphrase is a sequence of random words, like "copper-falcon-river-42". It's easier to remember than a string of random characters but can still be very secure if the words are chosen randomly and there are enough of them. Security experts increasingly recommend passphrases because they balance memorability with strength.

How long should a password be?

For most accounts, 16 characters is a solid minimum. For highly sensitive accounts like banking or email, aim for 20 or more. Password length is one of the biggest drivers of security — each extra character multiplies the difficulty for an attacker enormously.

Is this password generator safe to use?

Yes. Every password is generated entirely inside your browser using your device's cryptographically secure random number generator. Nothing is ever sent to a server, stored, or logged. You can even disconnect from the internet and the tool still works.

What are the most common weak passwords?

The most commonly used weak passwords include "123456", "password", "qwerty", "abc123" and "letmein". Passwords based on your name, birthday, pet's name or favourite team are also easily guessed. Security researchers at NordPass and Have I Been Pwned have found these patterns appearing in billions of leaked credentials.

What is password entropy?

Password entropy is a measure of how unpredictable a password is, expressed in bits. It is calculated from the character set size and the password length: entropy = length × log₂(character set size). A 16-character password using uppercase, lowercase, numbers and symbols has roughly 105 bits of entropy — considered very strong. Higher entropy means more possible combinations, and therefore more time required to crack the password by brute force.

Should I use a password manager?

Yes — a password manager is the most practical way to use strong, unique passwords for every account without memorising them. Generate a long random password here, then save it in a manager like Bitwarden, 1Password or Dashlane. Your password manager only needs one strong master password. Use our Passphrase Generator to create a memorable one for it.

What is credential stuffing?

Credential stuffing is an attack where hackers take username and password pairs from one data breach and automatically try them against other services. It works because most people reuse the same password across multiple accounts. Using a unique, randomly generated password for every account makes credential stuffing completely ineffective — even if one account is compromised, the credentials cannot be used anywhere else.

About PasswordCrunch.com

PasswordCrunch.com is a free, client-side password generation tool. It is designed for anyone who needs strong credentials for online accounts, password managers, developer environments or any other use case. The tool runs entirely in the browser with no server-side component — this means no sign-up is required, no usage is tracked and no generated passwords are stored or transmitted.

How PasswordCrunch generates secure passwords

PasswordCrunch uses window.crypto.getRandomValues(), the browser's built-in cryptographically secure pseudorandom number generator (CSPRNG). This is the same underlying API used by financial institutions and security software. A CSPRNG produces outputs that are statistically random and computationally unpredictable — meaning even if an attacker observed previous outputs, they could not predict future ones. The implementation uses rejection sampling to eliminate modular bias, ensuring every character in the generated password is equally likely to appear.

Key security terms explained

Password entropy

A measure of how unpredictable a password is, expressed in bits. Calculated as: length × log₂(character pool size). A 20-character password using all character types has approximately 131 bits of entropy — far beyond what any current hardware can crack.

CSPRNG (Cryptographically Secure Pseudorandom Number Generator)

An algorithm that generates numbers that are indistinguishable from true randomness for security purposes. Unlike basic random functions (which are predictable given the seed), a CSPRNG output cannot be reverse-engineered. The Web Crypto API used by this tool is a CSPRNG.

Brute-force attack

An attack method where a computer systematically tries every possible combination of characters until it finds the correct password. A 16-character password using 94 possible characters would require up to 94¹⁶ attempts — a number that exceeds the capacity of all computing power on Earth to exhaust in any reasonable timeframe.

Dictionary attack

An attack that tests passwords against lists of common words, names and known passwords. Any password containing recognisable words, phrases or patterns is vulnerable. Randomly generated passwords are immune to dictionary attacks because they contain no linguistic patterns.

Credential stuffing

An automated attack that takes username and password combinations from one leaked database and tests them against other services. It exploits password reuse — which is why using a unique password for every account is one of the most effective security practices available.

Passphrase

A password made up of multiple random words, such as "maple-comet-frost-42". The security of a passphrase comes from the randomness of word selection, not from complexity. Four randomly chosen words from a list of 250 words gives over 62 bits of entropy — enough to resist brute-force attacks for billions of years at current computing speeds.

Standards and references

PasswordCrunch's recommendations align with NIST Special Publication 800-63B (Digital Identity Guidelines), which recommends prioritising password length over complexity requirements, avoiding mandatory rotation of non-compromised passwords and checking passwords against lists of known-breached credentials. The tool's cryptographic implementation follows the W3C Web Cryptography API specification.