Password strength comes from two factors: length and character set size. An attacker brute-forcing 10 billion guesses per second would need an astronomically long time to crack a random 20-character password with mixed characters โ compared to milliseconds for a short dictionary word.
| Use case | Recommended length | Notes |
|---|---|---|
| General account (email, social) | 16+ characters | Use a password manager โ you don't need to remember it |
| Master password / password manager | 20โ30 characters | Must be memorable โ consider a passphrase of 5+ random words |
| API key / service secret | 32+ characters | Never exposed to humans โ maximize entropy |
| Wi-Fi network password | 12โ20 characters | Typed manually โ balance security with usability |
| Temporary / one-time password | 8โ12 characters | Short-lived โ lower length acceptable |
Passwords are generated using crypto.getRandomValues() โ the browser's cryptographically secure random number generator. This is the same API used by cryptographic libraries. Unlike Math.random(), it is unpredictable and seeded by the operating system's entropy source.
Nothing is sent to a server. Generation happens entirely in your browser tab.
© 2026, Tinker - tools ยท calculators ยท practice games