CreateMeAPassword.com

A free, privacy‑first tool for generating strong passwords and passphrases — all 100% local in your browser. No cookies, no ads, no tracking, and nothing ever leaves your device.

Yes. Generation happens entirely on your device using the Web Crypto API. There are no accounts, analytics, or server storage — your data never leaves your browser.

Yes. We use crypto.getRandomValues for cryptographically secure randomness and rejection sampling to avoid modulo bias, so each character is chosen uniformly from the selected set.

• Length first: 16–20+ characters (or 4–6 random words).
• Randomness: use the generator; avoid patterns like seasons or years.
• Uniqueness: never reuse the same password on different sites.
• Turn on 2FA (or passkeys) for important accounts.

New to this? Start with Common Password Mistakes (and quick fixes).

Prefer a passphrase (4–6 random words) when a site allows it — easier to remember and very strong. Otherwise, use a long random password.

Deep dive: Password vs Passphrase — Which is more secure?

Change on events (breach, suspicious activity, reuse) rather than a fixed schedule. Focus on long, unique passwords/passphrases and 2FA; enable passkeys where possible.

Learn more in How Often Should You Change Your Passwords (and When You Shouldn’t).

Yes. Keep them completely separate to prevent a breach in one world opening doors in the other. Use a manager with separate profiles/vaults.

Why this matters: Why Your Work Passwords Should Be Different from Your Personal Ones.

Yes. In Advanced options you can:

• Set custom symbol sets and exclude specific characters/words.
• Require minimum counts per set; block repeats or sequences.
• Target entropy and auto‑size to hit a strength goal.
• Apply policy presets (e.g., hex, base64, ASCII‑only).

Yes, after the first load. Add it to your home screen/desktop; it works as a lightweight PWA with everything running locally.

Yes. Kids mode creates memorable, readable passphrases from a kid‑friendly wordlist, filtered with a local blocklist to avoid inappropriate terms.

They estimate guessing difficulty. More bits = exponentially harder to crack. Aim for 100+ bits for long‑term accounts; 60–80 bits is fine for low‑risk logins.

Use HTTPS sites you trust. Clipboard data can be read by other apps on your device — avoid pasting into unknown pages and clear the clipboard afterwards.

Yes, where available. Passkeys (FIDO2/WebAuthn) remove shared secrets and are phishing‑resistant. Use them with a strong device unlock; keep recovery options (hardware keys, cloud backup) set up.

A secret string used to prove it’s you when you sign in. It can include letters, numbers, and symbols.

A longer secret made of several words (e.g., correct-horse-battery-staple). It’s usually easier to remember and, when truly random, much harder to crack.

For important accounts, a random passphrase of 4–6 words (plus a number/symbol if allowed) is typically stronger and more usable than a short, complex password.

Deep dive: Password vs Passphrase: Which Is More Secure?

Length first, randomness second, and uniqueness always. Aim for 12–16+ characters (or 4–6 random words). Never reuse across sites.

More on strength and usability: Password vs Passphrase and Common Password Mistakes.

Yes. Reuse is the fastest way one breach becomes many. A password manager makes this easy.

See also: Work vs Personal passwords and Common Password Mistakes.

They’re a rough guide. If you use a reputable generator/manager and meet length targets, you’ll be fine regardless of the meter.

Passwords: 16–20+ characters. Passphrases: 4–6 random words. Length increases entropy much faster than “clever” substitutions.

Why length beats “cleverness”: Length vs complexity.

• Use the generator to pick random words from a large list.
• Add a separator (space/hyphen), optionally append a digit/symbol.
• Avoid lyrics, quotes, or personal facts — they’re guessable.

Example: flake‑willow‑bus‑planet‑9?

Guide: Password vs Passphrase.

No. Season + year patterns are widely attacked. Use randomness, not patterns.

No. Attackers expect common substitutions. Length + randomness beats predictable tweaks.

Only if you randomise it heavily. Plain memorable sentences are usually guessable. Prefer true randomness.

Yes, if allowed. They expand the character set and increase entropy.

• Use the Policy and Preset options to match site rules.
• Max length: use the maximum, fully random.
• No symbols/spaces: use alphanumeric or hyphens/underscores.
• Always enable 2FA to compensate for strict rules.

Entropy quantifies unpredictability. Roughly: random 12‑char from 94 symbols ≈ 12×log₂(94) ≈ 79 bits. Six random Diceware words (~7,776‑word list) ≈ 6×12.9 ≈ 77 bits. More bits ≈ harder to crack.

See the entropy table in Password vs Passphrase.

An app that creates, stores, and autofills unique secrets for every site, protected by one strong master passphrase or a passkey.

Yes, when reputable and configured well:

• Use a long, random master passphrase (5–7 words).
• Enable 2FA on your vault.
• Keep apps up to date and lock on idle.

Follow vendor guidance. If your master secret is strong and 2FA is on, data is typically encrypted. Prioritise changing critical accounts and enable passkeys where possible.

Yes. Store them in a secure folder with clear labels and keep an offline backup (e.g., printed and stored safely).

Use a 5–7 word random passphrase (e.g., candle‑saturn‑velvet‑pond‑lorry‑?7). Never reuse it, and add 2FA to your vault.

Common routes: phishing, credential stuffing (using leaked passwords elsewhere), brute‑force/wordlists, keyloggers, and social engineering.

Use unique secrets everywhere, turn on 2FA, and watch for breach alerts for your email addresses.

Use a manager (auto‑fills only on the right domain), check links, enable 2FA/passkeys, and consider hardware security keys for important accounts.

Better than reuse, but less flexible than dedicated managers. Protect your device login, enable OS 2FA, and keep the system updated.

Generally fine over HTTPS, but avoid sensitive logins on shared machines. A trusted VPN can add a layer on untrusted networks.

Use a manager’s shared vaults — not messaging apps or email. For work, use approved SSO or group access tools.

• Use the site’s “Forgot password” flow and check spam for emails.
• If enabled, use recovery codes, trusted contacts, or a second factor.
• Contact support; be ready for identity checks.

Single‑use codes to bypass 2FA if you lose access. Store them in your manager and keep an offline backup (e.g., printed and stored safely).

Use recovery codes, your backup factor (e.g., a hardware key), or the app’s cloud backup. Set up at least two authenticators/keys in advance.

Disconnect, run trusted antivirus, consider a clean rebuild, then change important passwords from a clean device and enable 2FA.

Set up a manager with simple passphrases, enable 2FA where practical, and keep a printed recovery plan the family can access. Try Kids mode for memorable passphrases.

Carry a hardware key, ensure offline access to your manager (or printed recovery codes), and avoid logins on borrowed devices.

Use shared access features where supported; otherwise, share via a manager’s shared vault — not email or chat.

About 6×log₂(10) ≈ 20 bits. Fine for device unlock with strict rate limiting, weak for online accounts.

Roughly similar (~79 vs ~77 bits) if truly random. Choose the one you can use correctly every time.

Often not. They hurt usability more than they add security. Length and randomness matter most.

Modern browsers with Web Crypto (current Chrome, Edge, Safari, Firefox). Very old browsers aren’t supported.