Generate secure passwords, batch-generate, check strength with entropy and crack-time, and create xkcd-style passphrases. All cryptographically random. Free. No signup. No tracking.
Why Forge Password vs 1Password & Bitwarden? → · API docs · All APIs
Typed locally and POSTed to /password/strength. Nothing is logged. Use a real password only on your own device.
This generator uses Python's secrets module on the server — a cryptographically secure pseudo-random number generator (CSPRNG) suitable for keys, tokens, and passwords. It's the same primitive recommended by the Python documentation for managing data such as passwords, account authentication, and security tokens.
Entropy is calculated as length × log₂(pool_size). A 16-character password using all four character classes (94 symbols) provides ~105 bits — well past the threshold for "very strong". The strength checker also penalizes common passwords (e.g. password123, qwerty!) and obvious keyboard runs.
Estimates use industry-standard guess rates: 1,000 guesses/sec for an online attacker against a throttled login form, and 10¹¹ guesses/sec for an offline attacker with a modern GPU on a fast hash. These are upper bounds for the attacker — slow hashes (bcrypt, argon2) push offline crack times much higher.
The passphrase generator uses a curated wordlist of 700+ short common English words. A 6-word passphrase provides ~57 bits of entropy — comparable to a 10-character random alphanumeric password but far easier to type and remember. (See the xkcd-936 motivation.) For higher security, use 8+ words or fall back to a random password.
Everything on this page is powered by a free public API. See /password-docs for endpoints. Quick examples:
No passwords or passphrases are logged, stored, or transmitted to third parties. All randomness happens server-side using secrets; the server never sees your password until you POST it to /password/strength, and even then it is processed in memory only.