Password Generator

A password generator creates strong, random passwords using customizable length and character settings. Set your preferred length and character types below to instantly generate secure passwords that meet Active Directory complexity requirements and security best practices.

What Is a Password Generator?

A password generator is a tool that creates random character strings for use as account passwords. Unlike manually chosen passwords, which tend to follow predictable patterns, a generated password uses a cryptographically secure random number algorithm to select characters from a defined character set. This makes generated passwords significantly harder to crack through brute force or dictionary attacks.

This generator runs entirely in your browser using the Web Cryptography API (crypto.getRandomValues). No passwords are transmitted to any server or stored anywhere. The generated passwords exist only in your browser session until you copy and save them.

How to Create a Strong Password

Length Requirements

Password length is the single most important factor in password security. Each additional character multiplies the number of possible password combinations by the size of the character set. A 16-character password using 94 printable ASCII characters has 94^16 possible combinations — approximately 3.7 × 10^31 — making it computationally infeasible to brute-force even with modern hardware. NIST Special Publication 800-63B recommends a minimum length of 8 characters but encourages longer passwords, and most security professionals recommend 16 or more characters for any sensitive account.

Character Variety

Using more character categories increases the effective character set size, which increases entropy per character. A password using only lowercase letters (26 characters) has significantly less entropy per character than one using uppercase, lowercase, numbers, and symbols (approximately 94 characters). Adding each category increases the search space for attackers. Symbols are particularly valuable because many word-list attacks (dictionary attacks) do not include special character substitutions by default.

Avoiding Common Patterns

Human-chosen passwords almost always follow predictable patterns: names with birth years, keyboard walks like "qwerty123", l33t-speak substitutions like "p@ssw0rd", or dictionary words with a number appended. These patterns are well-known to attackers who use rule-based cracking tools like Hashcat with predefined rule sets. A random password generator eliminates these patterns entirely by making selections that have no semantic or positional relationship to each other.

Active Directory Password Complexity Requirements

Default AD Complexity Policy

Active Directory's default password complexity policy, governed by the "Password must meet complexity requirements" group policy setting, enforces rules designed to prevent simple passwords across Windows domain environments. When enabled, this policy checks new passwords against specific criteria before accepting them. The policy is enabled by default in all Active Directory domain controllers. Organizations can also implement Fine-Grained Password Policies (FGPP) to apply different complexity requirements to different user groups.

Minimum Length

The default AD minimum password length is 7 characters, but this is widely considered insufficient by current security standards. Most organizations set a minimum of 12 to 14 characters through Group Policy Object settings. The "Minimum password length" policy (located in Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy) should be set to at least 12 in any modern enterprise environment. NIST and Microsoft both recommend minimum lengths of 8 characters absolute minimum, with 16+ recommended for privileged accounts.

Character Category Requirements

AD complexity requirements mandate that passwords must contain characters from at least three of the following four categories: uppercase letters (A–Z), lowercase letters (a–z), numeric digits (0–9), and non-alphanumeric symbols (!@#$%^&*). Additionally, the password cannot contain the user's account name or any part of the user's full name that exceeds two consecutive characters. This prevents passwords like "JohnSmith123" from meeting complexity requirements even though they contain multiple character types.

Password Strength Explained

What Makes a Password Strong

Password strength is determined by two factors: length and character set size. A password is considered strong when it is long enough and uses enough different character types that an attacker cannot find it within a practical timeframe, even with access to fast cracking hardware. A modern GPU cluster can test billions of password hashes per second, which means an 8-character all-lowercase password can be cracked in hours. The same password length with all character categories takes years. At 16+ characters with full character variety, even a nation-state actor with massive computing resources would need centuries to brute-force the password.

Password Entropy

Entropy measures password unpredictability in bits. It is calculated as: Entropy = Length × log₂(Charset Size). A password using 94 printable ASCII characters at 16 characters long has 16 × log₂(94) = 16 × 6.55 = 104.8 bits of entropy. General entropy thresholds: below 40 bits is weak, 40–79 bits is medium, 80–119 bits is strong, and 120+ bits is very strong. For context, a 256-bit AES encryption key is considered unbreakable with current technology, so a password with 80+ bits of entropy provides substantial real-world security for most use cases.

Password Best Practices

Use a Password Manager

A password manager stores all your passwords in an encrypted vault protected by a single master password. This eliminates the need to memorize multiple complex passwords and makes it practical to use a unique, randomly generated password for every account. Popular password managers include Bitwarden (open source), 1Password, and Dashlane. Most offer browser extensions that auto-fill credentials and can detect when you reuse passwords or use weak ones.

Never Reuse Passwords

Password reuse is one of the most common attack vectors. When a website suffers a data breach and hashed passwords are leaked, attackers crack those hashes and then attempt the same credentials on other services — a technique called credential stuffing. If you reuse a password from a breached site on your banking or email account, attackers will try it. Using a unique generated password for every account ensures that one breach cannot cascade into account takeovers elsewhere. Check Have I Been Pwned to see if your email has appeared in known data breaches.

Enable Two-Factor Authentication

Two-factor authentication (2FA) adds a second verification step beyond your password. Even if an attacker obtains your password through phishing, a keylogger, or a data breach, they cannot access your account without also possessing your second factor. Time-based One-Time Password (TOTP) apps like Google Authenticator and Authy are significantly more secure than SMS-based 2FA, which is vulnerable to SIM-swapping attacks. Enable 2FA on all accounts that support it, especially email, banking, and any accounts that store personal information.

Frequently Asked Questions

How long should a password be?

NIST SP 800-63B recommends a minimum of 8 characters, but security professionals recommend 16 characters as a practical minimum for most accounts. For privileged accounts, administrator accounts, or accounts storing sensitive data, 20 or more characters is advisable. The longer the password, the exponentially harder it is to brute-force. With a full character set at 16 characters, cracking would take centuries on current hardware.

What are AD password complexity requirements?

Active Directory's default complexity policy requires passwords to contain characters from at least 3 of these 4 categories: uppercase letters (A-Z), lowercase letters (a-z), numbers (0-9), and symbols (!@#$%). The password cannot contain the username or more than two consecutive characters from the full name. The default minimum length is 7 characters, but this should be increased to at least 12 through Group Policy in any enterprise environment.

Is a 12 character password secure?

A 12-character password using all four character categories (uppercase, lowercase, numbers, symbols) has approximately 79 bits of entropy and is considered medium to strong. It is sufficient for most general-purpose accounts and meets modern security recommendations. However, for privileged accounts, financial accounts, or password manager master passwords, 16 or more characters is a better choice.

Should passwords include symbols?

Yes. Including symbols significantly increases the character set size from about 62 (letters + numbers) to 94 (all printable ASCII), which increases entropy per character by roughly 0.6 bits. More importantly, many dictionary and rule-based cracking attacks do not systematically test all symbol combinations, making symbol-containing passwords harder to crack in practice. If a website restricts symbol use, use a longer password to compensate for the reduced character set.

How often should I change my password?

NIST's updated guidance in SP 800-63B specifically recommends against mandatory periodic password changes unless there is evidence of compromise. Forced rotation often leads to predictable patterns (users increment a number or change one character) that weaken security. You should change a password immediately if: the service notifies you of a breach, you suspect unauthorized access, or you used the password on another site that was breached. For uncompromised accounts, a strong unique password can remain in use indefinitely.

Related Tools