Generate a
12-character
password

Security frameworks like NIST SP 800-63 point to 12 characters as the practical floor for general accounts because it pushes brute-force attack time well beyond what's computationally feasible for most attackers. Below 12, the math starts to get uncomfortable with improving hardware.

Not necessarily — a 4-word passphrase has similar or greater entropy, is easier to type, and is easier to remember. The advantage of a 12-character random string is that it's shorter (useful for character-limited fields) and slightly harder to guess using natural language models.

Yes. The biggest password-related threats in 2025 are phishing (stealing your password directly) and credential stuffing from breach databases — neither is stopped by password length alone. 2FA blocks both. Treat it as essential, not optional.

We use the Web Crypto API's crypto.getRandomValues() function — the same cryptographically secure randomness used in TLS and encrypted communications. Your password is generated entirely in your browser and is never sent to our servers.

Then a 12-character password is your best option for that site. Enable all character types (upper, lower, numbers, symbols) in our generator to maximise the entropy of your 12 characters. And if the site really caps at 12, consider that a security red flag about the platform.