Password Generator & Validator Tool

Professional password generator and validator tool that creates strong passwords and memorable passphrases with support for batch generation, uniqueness guarantee, strength assessment, and policy validation. Features cryptographically secure random source, configurable character sets, similar character filtering, batch deduplication statistics, and one-click copy functionality. Includes multilingual code examples, password knowledge base, security best practices, and policy testing tools. All operations are performed locally in your browser, ensuring privacy and security.

Password Policy Tester

Password to test

Minimum length Require lowercase letters Require uppercase letters Require digits Require symbols Ban sequential patterns (e.g., abc, 123) Ban excessive repetition (e.g., aaaa)

Results

Length
Lowercase
Uppercase
Digits
Symbols
Sequential
Repeats
Blocklist

All checks are performed locally in your browser.

Passphrase Generator

Number of words

Separator

Capitalize first letter Add number

Words are selected using cryptographically secure randomness (Web Crypto). The demo word list is shortened due to size constraints.

Password Hashing Cheat Sheet

Argon2id

Use Argon2id with reasonable memory-hard parameters
Time ≥ 2 passes, memory ≥ 64MB (tune according to environment)
Store a unique salt per user; optionally use a pepper at the application layer

PBKDF2

Choose SHA-256 or SHA-512 with iterations ≥ 210k (tune as needed)
Use a unique salt for each hash; support parameter upgrades
Migrate to higher-cost parameters during the user's next login

BCrypt

Set cost between 10–14, depending on server capabilities
Avoid truncation issues; hash the full password
Implement rate limiting and monitoring on authentication endpoints

Reference: NIST SP 800-63B, OWASP ASVS. Parameters must align with hardware capabilities and SLOs.

Password Strength Evaluator

Strength is approximated by entropy: entropy = log2(character pool size) × length. A larger character pool and longer length improve resistance to guessing.

Weak: < 50 bits —— Suitable only for one-time or low-value scenarios
Fair: 50–80 bits —— Acceptable for low-risk scenarios
Strong: 80–110 bits —— Recommended default target
Excellent: > 110 bits —— Recommended for admin or critical accounts

Note: Real-world attack models may vary; avoid password reuse and enable multi-factor authentication (MFA).

How to Use

Select length and character set (Lower/Upper/Digits/Symbols); optionally enable Avoid Similar and Require Each
For finer control: exclude specific characters or character groups, or choose symbol subsets
Click Generate; for multiple results, enable batch mode and copy all with one click
To validate existing passwords, use the Policy Tester; for memorable passphrases, use the Passphrase Generator

Features

Cryptographically secure random source (Web Crypto)
Configurable character sets and symbol groups
Similar character filtering and custom exclusions
Batch generation, uniqueness guarantee, and deduplication statistics
Strength and entropy metrics
Policy Tester and Passphrase Generator
Multilingual code examples （JS、Python、PHP、Go、Java、C#、Rust）
One-click copy (single or all)

Password Generation Examples

Strong

Length 24, includes uppercase, lowercase, digits, and symbols

Memorable

Length 16, includes uppercase, lowercase, and digits; avoids similar characters

Password Knowledge Base

1) Password Strength and Entropy

Entropy ≈ log2(character set size) × length; length usually contributes more
Recommended targets: General accounts ≥ 80 bits; High-privilege/financial accounts ≥ 110 bits
Larger character set + longer length → greater resistance to guessing

2) Length vs. Complexity

Blindly adding symbols is less effective than increasing length
Avoid predictable patterns (e.g., always 'Capital first letter + trailing number!')
Prioritize sufficient length, then moderately increase character diversity

3) Common Mistakes and Anti-Patterns

Keyboard sequences (e.g., qwerty), repeated blocks, birthdays/years are easily targeted by rules
Using 'root password + site suffix' creates variant reuse, concentrating risk and making passwords easier to guess
Never reuse the same password across multiple websites

4) Password Management Recommendations

Use a password manager; ensure unique passwords per site; enable MFA for critical accounts
Avoid transmitting passwords in plain text over public channels; use 'pronounceable' passphrases when necessary
Immediately change and uniqueify passwords if leakage or reuse is detected

5) Passphrase Guidelines

Combinations of 4–6 random words are typically strong and memorable
Mix separators, capitalize initial letters, and insert numbers to enhance strength and readability
Avoid directly concatenating common phrases, song lyrics, or famous quotes

Password Security Best Practices

Best Practices

Use sufficient length: 16+ characters for general accounts, 24+ for critical ones
For memorability, prioritize passphrases; use a password manager to store random, high-strength passwords
Enable multi-factor authentication (MFA) whenever possible
Never reuse passwords across sites—each account should have a unique password

Entropy and Strength

Entropy measures unpredictability based on length and character set size—the higher the entropy bits, the stronger the password typically is.

Prioritize increasing length for maximum strength gain
Use multiple character sets when feasible
Excluding too many characters reduces the character pool and weakens strength

Policies and Rotation

Prefer length requirements and blacklists of common/leaked passwords over complex composition rules
Avoid frequent mandatory rotations; change only when a breach or risk is detected
Use lists of compromised passwords to block commonly used or leaked passwords

Passphrases

Use 4–6 random words joined by separators, e.g., lake-CARROT-planet_7
Avoid famous quotes, song lyrics, or other common phrases; randomness matters more than 'cleverness'
For critical accounts, use a password manager to store truly high-entropy random passwords

Generation Settings Tips

"Require each selected set" ensures at least one character from each chosen category appears
"Avoid similar" improves readability but slightly reduces the character pool size
Symbols can be restricted to a subset supported by the target system

Server-Side Storage

Never store passwords in plaintext; use strong hashing (Argon2id/PBKDF2/Bcrypt) with salt
Configure parameters (memory/time/cost) appropriately; consider using pepper when needed
Rate-limit login attempts and monitor failures; apply CAPTCHAs or device verification during attacks

Multi-Factor & Recovery

Prefer TOTP or hardware keys; avoid SMS whenever possible
Secure recovery flows with multi-factor or email verification and enforce cooldown periods
Provide backup recovery codes and encourage users to store them securely

Brute Force Protection

Implement progressive delays or locks with IP/device risk scoring
Apply WAFs and rate limiting to APIs and login forms
Monitor for credential stuffing and encourage users to adopt unique passwords

Local Storage & Handling

Use a reputable password manager for storage and auto-fill
Never share passwords in plaintext via chat or email; use secret management tools for teams
If writing down passwords offline, ensure physical security

Disclaimer: This tool generates passwords locally in your browser using Web Crypto; no data is sent to any server.

How to Generate Passwords via Programming Languages

JavaScript（Web Crypto）

function randomPassword(length = 16, sets = {lower:true, upper:true, digits:true, symbols:true}) {
  const pools = {
    lower: 'abcdefghijklmnopqrstuvwxyz',
    upper: 'ABCDEFGHIJKLMNOPQRSTUVWXYZ',
    digits: '0123456789',
    symbols: '!@#$%^&*+-=_~`|/?()[]{}<>,.;:\'\"'
  };
  let pool = '';
  for (const k of Object.keys(sets)) if (sets[k]) pool += pools[k];
  if (!pool) throw new Error('No charset');
  const bytes = new Uint32Array(length);
  crypto.getRandomValues(bytes);
  let out = '';
  for (let i = 0; i < length; i++) out += pool[bytes[i] % pool.length];
  return out;
}

Python（secrets）

import secrets

def random_password(length=16, lower=True, upper=True, digits=True, symbols=True):
    pools = {
        'lower': 'abcdefghijklmnopqrstuvwxyz',
        'upper': 'ABCDEFGHIJKLMNOPQRSTUVWXYZ',
        'digits': '0123456789',
        'symbols': '!@#$%^&*+-=_~`|/?()[]{}<>,.;:\'\"'
    }
    pool = ''.join(v for k, v in pools.items() if locals()[k])
    if not pool:
        raise ValueError('No charset')
    return ''.join(secrets.choice(pool) for _ in range(length))

PHP（random_int）

function random_password($length = 16, $sets = ['lower'=>true,'upper'=>true,'digits'=>true,'symbols'=>true]) {
    $pools = [
        'lower' => 'abcdefghijklmnopqrstuvwxyz',
        'upper' => 'ABCDEFGHIJKLMNOPQRSTUVWXYZ',
        'digits' => '0123456789',
        'symbols' => '!@#$%^&*+-=_~`|/?()[]{}<>,.;:\'\"'
    ];
    $pool = '';
    foreach ($sets as $k => $on) if ($on) $pool .= $pools[$k];
    if ($pool === '') throw new Exception('No charset');
    $out = '';
    for ($i = 0; $i < $length; $i++) {
        $out .= $pool[random_int(0, strlen($pool)-1)];
    }
    return $out;
}

Go（crypto/rand）

package main

import (
  "crypto/rand"
  "math/big"
)

func RandomPassword(length int, pool string) (string, error) {
  out := make([]byte, length)
  for i := 0; i < length; i++ {
    nBig, err := rand.Int(rand.Reader, big.NewInt(int64(len(pool))))
    if err != nil { return "", err }
    out[i] = pool[nBig.Int64()]
  }
  return string(out), nil
}

Java（SecureRandom）

import java.security.SecureRandom;

public class Pw {
  static final String POOL = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*+-=_~`|/?()[]{}<>,.;:'\"";
  static final SecureRandom SR = new SecureRandom();
  static String randomPassword(int length) {
    StringBuilder sb = new StringBuilder(length);
    for (int i = 0; i < length; i++) {
      int idx = SR.nextInt(POOL.length());
      sb.append(POOL.charAt(idx));
    }
    return sb.toString();
  }
}

C#（.NET RandomNumberGenerator）

using System;
using System.Security.Cryptography;

public static class Pw {
  public static string RandomPassword(int length, string pool) {
    using var rng = RandomNumberGenerator.Create();
    var bytes = new byte[length];
    rng.GetBytes(bytes);
    var chars = new char[length];
    for (int i = 0; i < length; i++) {
      chars[i] = pool[bytes[i] % pool.Length];
    }
    return new string(chars);
  }
}

Rust（rand + getrandom）

use rand::rngs::OsRng;
use rand::RngCore;

fn random_password(length: usize, pool: &str) -> String {
    let mut bytes = vec![0u8; length];
    OsRng.fill_bytes(&mut bytes);
    let chars: Vec = pool.chars().collect();
    bytes
        .iter()
        .map(|b| chars[(*b as usize) % chars.len()])
        .collect()
}

fn main() {
    let pool = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*+-=_~`|/?()[]{}<>,.;:'\"";
    let pw = random_password(16, pool);
    println!("{}", pw);
}