How to Generate a Strong Random Password
A strong password has 16+ characters with uppercase, lowercase, digits, and symbols. Use crypto.getRandomValues() -- never Math.random(). Math.random() is not cryptographically secure and its output can be predicted. The Web Crypto API and language-specific secrets modules provide true cryptographic randomness.
Code Examples
JavaScript (Secure)
function generatePassword(length = 20) {
const chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*';
const array = new Uint8Array(length);
crypto.getRandomValues(array);
return Array.from(array, b => chars[b % chars.length]).join('');
}
generatePassword();
// e.g., "kQ7#mP2xR9&nL4wF8jY5"Python (Secure)
import secrets
import string
def generate_password(length=20):
chars = string.ascii_letters + string.digits + '!@#$%^&*'
return ''.join(secrets.choice(chars) for _ in range(length))
# Or simply:
secrets.token_urlsafe(20)
# URL-safe random stringBash (OpenSSL)
openssl rand -base64 24
# Generates a 24-byte random string, base64 encodedPassword Strength by Length
| Length | Charset (72) | Entropy (bits) | Strength |
|---|---|---|---|
| 8 | 72^8 | ~49 | Weak |
| 12 | 72^12 | ~74 | Fair |
| 16 | 72^16 | ~99 | Strong |
| 20 | 72^20 | ~123 | Very Strong |
Try It Yourself
Use our Password Generator to create strong passwords instantly.
Frequently Asked Questions
Why should I not use Math.random() for passwords?
Math.random() uses a PRNG that is not cryptographically secure. Its output can be predicted if the internal state is known. Always use crypto.getRandomValues() or the secrets module.
How long should a password be?
At least 16 characters for general use, 20+ for high-security accounts. Each additional character exponentially increases the number of possible combinations.