Passwords protect everything from email to banking, yet most breaches succeed because users reuse short, predictable passwords across sites. A password generator produces random, high-entropy strings that resist brute force and credential-stuffing attacks — the missing piece is using a password manager to store them, since strong passwords are impossible to memorise.
This guide covers what makes a password strong, how generators work, and the practical points for actually using random passwords day to day.
What Makes a Password Strong
- Length — Longest single factor; 16+ characters preferred
- Randomness — Unpredictable; not based on words or patterns
- Character variety — Mix uppercase, lowercase, digits, symbols
- Uniqueness — Different password per site
A 16-character random password is functionally uncrackable by brute force; the attack vector becomes the site's database, not the password itself.
Generator Options
- Length — Slider from 8 to 64+ characters
- Uppercase — A-Z
- Lowercase — a-z
- Numbers — 0-9
- Symbols — !@#$%^&* etc.
- Exclude ambiguous — Remove 0/O, 1/l/I for handwriting clarity
- Pronounceable — Pseudo-words easier to type once
- Passphrase — Random words separated (correct-horse-battery-staple)
Length Recommendations
- 8 chars — Outdated; crackable in hours
- 12 chars — Acceptable minimum for low-stakes accounts
- 16 chars — Strong default for most accounts
- 20+ chars — High-value targets (email, banking, password manager master)
Passphrase vs Random String
Random string
X7m@vP2!qK#9wL3z — short, dense, hard to type, easy to copy from manager.
Passphrase
correct-horse-battery-staple — longer but easier to type and memorise when occasionally needed.
Passphrases of 5+ random words have similar strength to 16-character random strings. Pick based on whether you'll type it (passphrase) or always copy-paste (random string).
Common Use Cases
- New account signup
- Replacing reused passwords after breach
- Generating API keys and tokens
- Wi-Fi network passwords
- Database and service credentials
- Encryption keys for documents
- Master password for password manager (use passphrase)
Where to Store Generated Passwords
- Password manager — Bitwarden, 1Password, KeePass, browser built-in
- Encrypted file — KeePass database, age-encrypted text file
- Not in plain text files, notes apps, spreadsheets
- Not emailed to yourself or written on a sticky note
Common Pitfalls
- Generating but not using a manager. Strong passwords you forget = locked out
- Modifying generated password. Adding "123!" weakens predictably
- Reusing across sites. One breach exposes many accounts
- Generator not cryptographically secure. Use tools using crypto.getRandomValues()
- Symbols breaking site limits. Some sites reject @, # — check policy
- Master password too short. Passphrase, 5+ words, no reuse
Site Password Policies
- Many sites still impose unhelpful rules (max 16 chars, no special chars)
- NIST guidelines now recommend long passwords without forced rotation
- If site limits to 12 chars, use full 12 with all character types
- Avoid forced periodic password changes; change only on breach
Beyond Passwords
- Two-factor authentication — Most important addition
- Authenticator apps — Authy, Google Authenticator (not SMS)
- Hardware keys — YubiKey for highest-value accounts
- Passkeys — Emerging passwordless standard
Quick Tips
- 16+ characters, all types, random
- Use a password manager — every generated password belongs there
- Master password: passphrase of 5+ random words
- Add 2FA on every account that offers it
- Change only on breach, not on schedule
Use the Password Generator on Popupnote
The Password Generator on Popupnote provides a clean tool for creating strong, random passwords with configurable length and character sets — for new accounts, replacing weak passwords, and generating API keys. The tool runs in your browser without any account required.