Free Online Password & Security Tools
Generate secure passwords, check strength, and more. Everything runs in your browser — nothing is sent to any server.
Quick Answer — Password Strength by Length
A 16+ character password using upper + lower + digits + symbols (95-char set) gives ~104 bits of entropy — beyond NIST's secure threshold (≥72 bits) and uncrackable by current GPU farms.
Or use a passphrase: 4-5 random words (e.g. "correct horse battery staple") are both stronger and easier to remember.
Password Entropy & Strength Reference
| Length | Charset (95 = full ASCII) | Entropy (bits) | Crack Time @ 10¹² guesses/s |
|---|---|---|---|
| 8 chars | 26 (lowercase only) | 37.6 | ~3 minutes (weak) |
| 8 chars | 95 (full ASCII) | 52.6 | ~2 hours (weak) |
| 12 chars | 95 (full ASCII) | 78.9 | ~17 thousand years (good) |
| 16 chars | 95 (full ASCII) | 105.2 | > age of universe (strong) |
| 20 chars | 95 (full ASCII) | 131.5 | Quantum-resistant tier |
| 5-word passphrase | 7,776-word Diceware | 64.6 | ~1,800 years (good + memorable) |
crypto.getRandomValues(). We never see or store your passwords.
Choose a Category
About PassCraft
PassCraft provides free, secure password and security tools. All tools run entirely in your browser using cryptographically secure random number generation via crypto.getRandomValues(). Nothing is ever sent to a server — your passwords and data remain completely private.
Password Entropy: The Science of Password Strength
Password entropy measures the unpredictability of a password in bits — higher entropy means exponentially more combinations an attacker must try. Entropy = log₂(character_set_size^length) = length × log₂(character_set_size). A password using only lowercase letters (26 characters) at 8 characters has 8 × log₂(26) ≈ 37.6 bits of entropy. Adding uppercase, digits, and symbols expands the character set to ~95 characters: 8 × log₂(95) ≈ 52.6 bits. At 12 characters with the full set: 78.9 bits. Most security guidelines recommend at least 72 bits of entropy for a secure password. Each additional character multiplies the search space — length matters more than complexity.
Why Passphrases Are More Secure Than Complex Passwords
The XKCD password strength comic (2011) illustrated a counterintuitive truth: "correcthorsebatterystaple" is both more memorable and more secure than "Tr0ub4dor&3". Four random common words drawn from a 2,000-word vocabulary provides 4 × log₂(2000) ≈ 43.9 bits of entropy; from a 7,776-word Diceware list, 4 words provides 51.7 bits and 5 words provides 64.6 bits. NIST's 2020 Digital Identity Guidelines now recommend passphrases and length over complexity rules, as complexity requirements lead to predictable substitution patterns (e→3, a→@, i→1) that attackers know to exploit.
How Password Crackers Work
Modern password cracking uses GPU-accelerated tools (Hashcat, John the Ripper) that can attempt billions of combinations per second against leaked password hashes. Attack strategies include dictionary attacks (testing known words and common passwords), rule-based attacks (applying transformations like capitalising the first letter or adding a year suffix), and brute-force attacks (systematic character enumeration). The weakest passwords in any dataset are cracked in milliseconds; an 8-character random alphanumeric password might resist cracking for hours to days; a 16-character random password from the full printable ASCII set would take longer than the age of the universe with current technology.
What Is PassCraft?
PassCraft is a free, browser-based suite of password and security tools. It generates secure passwords, checks password strength, calculates entropy, and helps you build passphrases — all using cryptographically secure randomness via crypto.getRandomValues().
Whether you need a strong random password for a new account, want to test how resistant your current password is to cracking, or prefer memorable passphrases over complex strings, PassCraft handles it instantly without ever sending data to a server.
Frequently Asked Questions
Why use 16+ characters for a password?
16 characters from the full 95-symbol ASCII set yields ~105 bits of entropy. Even at one trillion guesses per second (modern GPU farm capability), brute-forcing exceeds the age of the universe. 12 characters at 79 bits is good; 8 characters at 53 bits cracks in roughly 2 hours. Each added character multiplies the search space by 95×, making length the single most cost-effective security upgrade.
How long should a secure password be?
A secure password should be at least 12 characters long, though 16 or more is recommended. Each additional character exponentially increases the number of possible combinations, making brute-force attacks impractical. A 16-character password using uppercase, lowercase, digits, and symbols has over 10^30 possible combinations.
Are password generators safe to use?
Client-side password generators like PassCraft are safe because the password is created entirely in your browser using crypto.getRandomValues(), a cryptographically secure random number generator. The password is never transmitted to any server, so there is no risk of interception or storage by a third party.
What is password entropy and why does it matter?
Password entropy measures randomness in bits. Higher entropy means more possible combinations an attacker must try. It is calculated as length times log base 2 of the character set size. A password with 72 or more bits of entropy is generally considered secure against modern cracking hardware.
Is a passphrase better than a random password?
Passphrases made of 4-6 random words from a large dictionary can be both more secure and more memorable than short complex passwords. A 5-word Diceware passphrase provides about 64 bits of entropy while being far easier to remember than a random 10-character string.