Why use a random password generator?
Humans are poor at being random. When we create passwords, we instinctively reach for patterns — birthdays, pet names, keyboard walks like "qwerty123". Attackers know this and exploit it with dictionary attacks that crack predictable passwords in seconds.
A cryptographic password generator eliminates that bias entirely. It produces a string that is statistically impossible to predict or guess.
What makes a password secure?
- Length: At least 16 characters. 12 is the practical minimum.
- Complexity: A mix of uppercase, lowercase, numbers, and symbols.
- Uniqueness: No dictionary words, no personal dates, different for every account.
How the strength checker works
Most online password checkers are a privacy risk in themselves — they send your password to a server to analyse it. This tool does not do that. Everything runs locally, inside your browser. You can disconnect from the internet and it still works.
Data breach check (k-Anonymity)
To check whether your password has appeared in a known breach, we use a privacy-preserving technique called k-Anonymity:
- Your password is hashed locally using SHA-1.
- Only the first 5 characters of that hash are sent to the Have I Been Pwned API.
- The API returns hundreds of partial hash matches. Your browser finds the specific match locally — the full hash never leaves your device.
Result: neither we nor the API ever know what password you entered.
Habits that actually protect your accounts
- Use a password manager: Don't try to memorise complex passwords. Tools like Bitwarden or Proton Pass store them securely and fill them automatically.
- Enable two-factor authentication: Even if a password leaks, 2FA stops attackers from getting in without a second device.
- Unique password per site: If one service gets breached, attackers can't reuse those credentials anywhere else.