Password
This is a simple tool for generating passwords for whatever purpose you might need. Simply tweak whatever options you care about, then click “Generate” until you get something you like.
Entropy is a measure of disorder or randomness. Examples of low-entropy passwords would be passwords that contain dictionary words (hunter2), simple patterns (12345), or lots of repetition (AAA111).
Passwords with low entropy are likely to be easier for a human or computer to guess. Thus making them a worse security measure. Simply put, a higher entropy password is a more secure password.
Because of the exponential nature of character combinations, increasing the entropy of your password by just one bit makes it twice as hard to guess. So while a 50-bit password could be easily guessed on a moderately powerful computer, a 64-bit password might require highly specialized hardware or software to be feasible, and a 256-bit password is so far outside the realm of guessibility that there’s really no need to go so high.
But advances in password guessing are occurring all the time, and those thresholds are always lowering. So assuming that the only way an adversary can bypass your password is by guessing it (not always a valid assumption), the number of bits of entropy you need depends on how long you need that password to be unguessable.
If you want to do your due dilligence, you’ll need to read up on current password-cracking research and capabilities and choose your random password based on the current state of affairs plus a few extra bits for comfort. If you don’t want to do that, I’ll just say that currently I aim for around 85 bits.
Absolutely! You can set up this generator to make a 20 character password with maximum entropy and it still might spit out an awful password like AAAAAAAAAAAAAAAAAAAA.
To be precise:
Put all these together and this generator can seem entirely useless. But the point of this generator is that by using the full ASCII range, you get reasonably short passwords that are likely to work with whatever service you care to use them with and which are very unlikely to be the kind of thing any reasonable password guesser would try. That’s what the entropy measurement is really getting at.
There are password guessers out there that can feasibly guess a 55 character password but not a fully random ASCII one. Setting the generator to 39 characters produces 256 bits of entropy: way, way outside the realm of anything even remotely guessable. The chances of you actually getting a bad password out of this thing (as long your entropy is reasonably high) are pretty small.
I get that. That’s why this page is a single self-contained HTML file with the generator written in a couple hundreds lines of documented, unobfuscated Javascript. If you like the idea but don’t trust me, please download this page for your personal use and scrutinize it for yourself to make sure it isn't doing anything shady.
Entropy is a function of the length and password options you have chosen, so whenever you change any of those values the entropy updates. But I also let you do it in reverse, so if you update the entropy it changes the length needed to get that amount of entropy. But also since changing the password length often changes the entropy by several bits at a time, if the entropy updates the length it will again update the entropy value to the actual entropy provided at that length.
So depending on the options you have selected, many entropy values will be impossible to achieve exactly and choosing such a value will cause the entropy to update to the next-highest possible value after a short delay.