CloakShare CloakShare
Log in Get API Key
Free · No signup · Runs in your browser

Free Password Generator

Cryptographically secure passwords. Real-time strength meter. No network requests, no logs, no signup. Your password never leaves your browser.

Strength
Entropy:
Charset:
Crack time:

Now share it securely

Emailing a generated password defeats the point. CloakShare's secure-link feature: generate a one-time tracked link, set an expiry, send the link instead of the password. The recipient opens it once and the secret is gone.

How CloakShare works → Use cases

How the strength meter works

Entropy measures how many guesses an attacker would have to try in the worst case. Calculated as log₂(charset_size) × length. A 20-character password drawing from 94 printable ASCII characters has ~131 bits of entropy.

Crack time assumes an offline attack against a stolen bcrypt hash with one modern GPU (~10,000 hashes/sec, Hashcat published benchmark). Online attacks against rate-limited login forms are vastly slower.

Length beats complexity. A 24-character lowercase-only password (~113 bits) is exponentially stronger than an 8-character password with all character classes (~52 bits). The strength meter weights length accordingly.

FAQ

Is this password generator really secure?

Yes. The generator uses crypto.getRandomValues() — your browser's cryptographically secure random source, the same primitive used by TLS and password managers. Passwords are generated entirely in your browser. They never leave your machine. There is no network request when you click Generate.

How is password strength calculated?

The strength meter estimates entropy in bits using the Shannon formula: log2(charset_size) × length. The crack-time estimate uses Hashcat's published rate for bcrypt (10,000 hashes/sec on a single GPU) and assumes the attacker has stolen the hash. Higher numbers = exponentially harder to crack.

What length should I use?

For accounts that matter (banking, work email, password manager master password): 20+ characters with mixed case, numbers, and symbols (≥130 bits of entropy). For throwaway accounts: 16 characters is plenty. Length matters far more than complexity rules — a 24-character lowercase-only password is much stronger than an 8-character password with all character classes.

Why do you exclude similar-looking characters?

Optionally excluding 0/O/o, 1/l/I makes passwords easier to read aloud or transcribe from paper without losing meaningful entropy. The strength meter accounts for the reduced charset.

How do I share this password securely?

Don't email or message it. Use CloakShare's secure-link feature: generate a one-time tracked link, set an expiry, and send the link instead. The recipient opens it once and the secret is gone. Built specifically for this use case.

Investor data rooms

Share decks and term sheets with per-recipient watermarks, expiry, and access logs.

Sales enablement

Track which pages prospects actually read. Watermarked PDFs and video links.