Passwords they can't crack.
Three generation modes. Live entropy. Realistic crack-time estimates. The catch? There isn't one — it runs entirely in your browser and we never see the output.
Maximum entropy. Hard to type, strongest security.
Length beats complexity.
A 20-char lowercase password has 94 bits of entropy. An 8-char password with every character class has 52 bits — over 16 million times weaker. Passphrases are the same story: 6 common words beat most complex passwords an attacker can actually crack.
Zero-logs, zero server.
Passwords are generated in your browser with crypto.getRandomValues. No data ever reaches MalwareTips servers.
Regenerated passwords appear here. Never saved to disk.
How strong is strong enough?
The right entropy depends on who's trying to crack it. Below are three attacker tiers, with roughly how long a 40-, 60-, and 80-bit password buys you against each.
Credential-stuffing attacker hitting a normal login form with rate limiting.
Attacker has the hashed password dump. Cracking with modern GPUs against bcrypt/Argon2.
Targeted, well-funded adversary with vast GPU compute. Worst plausible case.
Estimates assume the defending site uses bcrypt / scrypt / Argon2id hashing. If it still stores plain SHA-256 or MD5 (common but poor practice), shift attacker times 100–1000× faster — meaning 40-bit passwords are already gone for any meaningful adversary.
Six things that matter.
Most password generators hide their math and ask you to trust them. This one shows the entropy, explains the crack-time, and lives entirely in your browser so there's nothing to trust anyway.
Three generation modes
Random (max entropy), passphrase (easy to memorise), pronounceable (readable syllables). Pick the shape that fits the use case.
Cryptographic RNG
Every character is produced by your browser's crypto.getRandomValues() — the same primitive banks and TLS libraries use. No Math.random, no seeded PRNG.
Live entropy meter
See the bit-entropy update as you tune the options. 60+ bits = strong. 80+ = excellent. Below 40 = you're one leaked rainbow table away from trouble.
Crack-time estimates
Realistic costs for a modern attacker at three budget tiers — online throttled, offline GPU cluster, nation-state. Tells you how long your password actually buys.
No logs, no storage
Passwords never leave your browser. No network call, no telemetry, no cached history on our server. Clear the tab and they're gone.
Free · no account
No sign-up, no email, no upsell to a password manager. This is a straight utility — paste into your manager of choice and move on.
Nothing ever leaves this page.
Every password is generated by window.crypto.getRandomValues() — a cryptographic primitive built into your browser. No network call, no telemetry, no cached history. Open your browser's DevTools Network tab and watch for yourself — you'll see zero requests as you generate.
Questions worth asking
Six common questions about passwords, entropy, and why you can trust a generator you didn't write yourself.