EN FR

Password Generator & Hash Calculator

Generate cryptographically secure passwords with entropy analysis. Hash any text with MD5, SHA-1, SHA-256, SHA-512. 100% client‑side.
Click Generate
--
-- Entropy (bits)
-- Charset size
-- Length
-- Combinations
Generate a password to see crack time
Based on 100 billion attempts/second (GPU cluster)
Length
20
Batch count
1
Character sets
Exclusions
Why passphrases? Four random words like "ocean-maple-bridge-thunder" are easier to remember and statistically stronger than "P@ssw0rd!". They leverage large entropy through word count rather than character complexity.
Click Generate
--
--Entropy (bits)
--Words
7776Word pool (EFF)
--Length
Generate a passphrase to see crack time
Dictionary attack at 10,000 guesses/second
Word count
4
Separator
Adds HMAC‑SHA256 row
Algorithm Hash value Security
Type text above to compute hashes

Secure password generation & cryptographic hashing

This tool generates cryptographically secure passwords using the browser's crypto.getRandomValues() API — the same source of randomness used in security software. It never uses Math.random(), which is not cryptographically secure.

Understanding password entropy

Entropy is measured in bits and represents the unpredictability of a password. The formula is entropy = log2(charset_size ^ length). A 20-character password using uppercase, lowercase, digits, and symbols draws from a charset of 95 characters, yielding ~131 bits of entropy — effectively uncrackable by brute force.

Why passphrases are often better

Four random words from the EFF wordlist (7776 words) give about 51 bits of entropy per word, totalling ~103 bits for 4 words. They are easier to remember than random characters and just as strong for most purposes. Six words exceed 154 bits — stronger than most character-based passwords.

Hash algorithms compared

Use this table to choose the right algorithm for your use case:

  • MD5 (128 bits) — broken, collision attacks exist. Use only for checksums, never for security.
  • SHA-1 (160 bits) — deprecated for security. Google demonstrated a collision attack in 2017. Avoid.
  • SHA-256 (256 bits) — current standard. Use for data integrity, digital signatures, HMAC.
  • SHA-512 (512 bits) — stronger variant. Use when extra margin is needed or on 64-bit systems.
  • HMAC-SHA256 — hash with a secret key. Use for API signatures and message authentication.

For password storage, none of the above are appropriate alone — use bcrypt, scrypt, or Argon2 instead, which are intentionally slow and add salting.

Frequently Asked Questions

Is this password generator truly secure?

Yes. All randomness comes from window.crypto.getRandomValues(), a cryptographically secure pseudo-random number generator (CSPRNG) provided by your operating system. Nothing is sent to any server — generation happens entirely in your browser.

What does entropy mean for a password?

Entropy measures unpredictability in bits. Each additional bit doubles the search space. At 60 bits, a password resists offline attacks from a single GPU for years. At 128+ bits, it is computationally infeasible to crack by brute force with any foreseeable hardware.

What is the difference between MD5 and SHA-256?

MD5 produces a 128-bit hash and is cryptographically broken — collisions can be computed in seconds. SHA-256 produces a 256-bit hash and has no known practical collision attacks. Use SHA-256 for anything security-related; MD5 only for non-security checksums (e.g. file deduplication).

Should I use MD5 to hash passwords?

Never. MD5 (and even SHA-256) is too fast for password hashing — a modern GPU can compute billions of MD5 hashes per second, making rainbow table attacks trivial. Use a slow key derivation function: bcrypt, scrypt, or Argon2id. These add computational cost and a salt automatically.

What is HMAC and when should I use it?

HMAC (Hash-based Message Authentication Code) combines a hash function with a secret key. It proves both the integrity and authenticity of a message. Use HMAC-SHA256 for API request signatures, webhook verification, and JWT token validation.

How long should a password be?

For general accounts: at least 16 characters with mixed character sets (~104 bits). For high-value accounts (banking, email, crypto): 20+ characters or a 6-word passphrase (~154 bits). With a password manager, always use 20+ random characters — you don't need to remember them.

Is my text sent to a server when I hash it?

No. All hash calculations use the browser's built-in SubtleCrypto API (for SHA variants) and a pure JavaScript implementation (for MD5). Your text never leaves your machine.

Other useful tools