Passwords nobody can crack.
Cryptographically secure random passwords with adjustable length and character mix. Live entropy meter and crack-time estimate. Generated in your browser, never sent anywhere.
Why length beats complexity.
The single most-repeated bad password advice is "make it complex." Length matters more. A 20-character password of just lowercase letters is harder to crack than an 8-character password with every symbol type. Here is the math, the threats, and the rules that actually hold up in 2026.
Entropy The number
entropy (bits) = length × log2(charset size)
Each bit doubles the number of possible passwords. 60 bits = 1 quintillion options. 80 bits = NIST 2024 minimum. 100+ bits = uncrackable for the foreseeable future. The bigger the number, the harder to brute-force.
Length over complexity Rule
20 lowercase chars (94 bits) > 8 mixed chars (52 bits)
Doubling length doubles the exponent. Adding character types adds a small linear gain. Going from 12 to 20 chars roughly squares the strength. Going from lowercase to mixed-case just multiplies by ~2.
crypto.getRandomValues RNG
Cryptographically secure, not Math.random
The browser's crypto.getRandomValues uses OS-level entropy (hardware noise, system events). Banks, password managers, and crypto wallets all use it. Math.random is fast but predictable and unsafe for passwords.
Online vs offline cracking Threat
Online: ~10 guesses/sec. Offline: ~1 trillion/sec.
Online attacks are throttled by rate limits and CAPTCHA. Offline (attacker stole the password database) can run a trillion guesses per second on a GPU farm. Always assume offline when choosing length.
Password reuse Risk
One breach = every reused account compromised
The biggest password risk is not crackability, it is reuse. 800 million credentials are floating around in breach databases (Have I Been Pwned). If you reuse, one breach gives attackers your login on every other site. Use a password manager.
Two-factor auth Defense
Password + TOTP = practically uncrackable
A strong password matters only when 2FA is off. With 2FA (especially TOTP from an authenticator app, not SMS), even a leaked password is useless without the second factor. Turn it on for every account that supports it.
Crack times at modern GPU speed (~1 trillion guesses/sec)
Sources: NIST SP 800-63B Digital Identity Guidelines, Hive Systems 2024 Password Cracking Report, Have I Been Pwned breach data.
Honest answers.
Yes. The generator uses the browser's built-in cryptographic random number source (window.crypto.getRandomValues), the same source banks use for session tokens and what every password manager uses under the hood. This is not Math.random, which is not cryptographically secure. Every character is independently sampled from your selected character set, so the password is provably uniform-random.
Entropy is the number of bits of randomness in a password, measured in bits. Each bit doubles the number of possible passwords. A 60-bit password has 2^60 (about 1.15 quintillion) possible values. NIST's 2024 guidance recommends a minimum of 80 bits for most uses, 100+ for high-stakes accounts. The formula: entropy = length × log2(charset size). A 16-character password using all four character types has ~104 bits, which is excellent.
16 characters minimum for normal accounts. 20+ for email, banking, and password managers (your master password protects every other one). 12 was sufficient a decade ago; modern GPU-based password cracking has shifted the bar up. Length matters more than complexity: a 20-character password of just lowercase letters (94 bits) is stronger than an 8-character password with every symbol type (52 bits).
Only if you will be typing the password manually or reading it aloud. Excluding 1/l/I and 0/O makes the password easier to transcribe without errors. The trade-off: it slightly reduces entropy (roughly 0.5 bits per character). For passwords stored in a password manager (never typed by hand), keep all characters for maximum strength. For Wi-Fi passwords you share verbally, exclude similar.
Less than you think. Most password strength comes from length, not from character types. Many sites still require at least one symbol, so we leave it on by default. If a site rejects symbols, just increase the length: a 24-character lowercase-only password is stronger than a 16-character one with symbols. The hardest passwords to crack are long, not exotic.
How long an attacker with modern hardware (a GPU cluster doing ~1 trillion guesses per second) would take to brute-force your password on average. This assumes the attacker has the hashed password and can attempt offline. For online attacks (typing guesses into a website), rate limits make any password over 60 bits effectively uncrackable. The estimate becomes meaningless past about 100 years; at that point the password is uncrackable for practical purposes.
Yes. The password is generated entirely in your browser using crypto.getRandomValues. It is never sent to systeme.io, never stored, never logged. You can verify by opening DevTools and watching the network tab while you generate. Close the tab and the password is gone unless you saved it elsewhere (a password manager is the right place).
Run your funnels on systeme.io.
Build landing pages, sales funnels, online courses, email automations, and affiliate programs on one platform with SSL and 2FA built in. Free plan, 2,000 contacts.
Start free