Alphanumeric Password Generator
This free alphanumeric password generator creates random passwords from letters and numbers only: 26 lowercase, 26 uppercase, and 10 digits. Everything runs in your browser with the Web Crypto API, nothing is sent to any server, and at 16 characters the result would take about 76 billion years to brute force.
What counts as an alphanumeric password
An alphanumeric password contains only letters and digits: a to z, A to Z, and 0 to 9. That is a pool of 62 characters, and each randomly chosen character is worth about 5.95 bits of entropy. No symbols, no spaces, no punctuation. The Medium setting on the generator above produces exactly this.
Why would you deliberately leave out symbols? Usually because something upstream forces you to. Older corporate systems and mainframe logins often predate modern password rules and silently reject or mangle special characters. Some banks still cap what their forms accept. Device identifiers work the same way: hostnames, asset tags, and serial style codes act like license plates for hardware, and most naming schemes only allow letters and digits. And plenty of software simply chokes on symbols, from CSV importers that trip over quotes and commas to shell scripts that treat a dollar sign as a variable.
If nothing is stopping you from using symbols, the strong password generator on our homepage includes them by default. But when a system says letters and numbers only, you lose surprisingly little, as the numbers below show.
How strong letters and numbers really are
A random 16 character alphanumeric password has about 95 bits of entropy and would take an offline attacker roughly 76 billion years to crack at 10 billion guesses per second. Even 12 characters holds out for about 5,000 years. Length, not the character menu, decides how long a password survives.
| Length | Entropy | Average time to crack |
|---|---|---|
| 8 characters | 48 bits | About 3 hours |
| 12 characters | 71 bits | About 5,000 years |
| 16 characters | 95 bits | About 76 billion years |
| 20 characters | 119 bits | Effectively uncrackable |
These figures assume the worst realistic case: an attacker with your password's hash, specialized hardware making 10 billion guesses per second, and the average outcome of searching half the keyspace. Real online logins are rate limited and millions of times slower to attack, so the table is deliberately pessimistic.
The takeaway is blunt. At 16 alphanumeric characters you are already past any brute force attack that current hardware can mount, with a margin measured in billions of years. That lines up with official guidance: NIST SP 800-63B recommends at least 15 characters for accounts protected by a password alone, and CISA suggests 16 or more. For a longer walk through the math, see our guide on how long a password should be.
Do symbols make a password stronger
A little, but far less than people assume. Adding the full symbol set grows the pool from 62 to 86 characters, which raises each character from about 5.95 bits to 6.43 bits. Dropping symbols costs you roughly half a bit per character, and two extra characters pay that back with room to spare.
Run the numbers on a 16 character password. Going from the full set to letters and digits only loses about 7.7 bits in total. Stretching the alphanumeric version to 18 characters adds about 11.9 bits, so you end up around 4 bits ahead of where you started. Length is the lever that actually moves strength. Character variety mostly just makes passwords harder to type.
This is also why NIST tells sites not to force composition rules like "must contain a special character" in the first place. A long random string is strong whatever it is made of, and a short one is weak no matter how many ampersands you sprinkle in. If a form rejects symbols entirely rather than just making them optional, our password generator without symbols covers a few extra variations of that case. And if you want the fuller picture of what does and does not add strength, read what makes a strong password.
Case sensitivity and readability
Mixed case does real work in an alphanumeric password. Lowercase letters plus digits is a pool of 36; adding uppercase pushes it to 62, worth about 0.78 extra bits per character. Across 16 characters that is roughly 12.5 bits, about the same as tacking on two more characters. Keep both cases on.
One thing to check before you trust a mixed case password: the system on the other end. Nearly every modern login treats passwords as case sensitive, but a handful of legacy systems fold everything to one case before checking. If you suspect that, test it, and compensate with extra length rather than assuming the uppercase letters count.
Readability matters whenever a human has to move the password by hand. In many fonts, a capital O and a zero are near twins, and lowercase l, the digit 1, and capital I can be indistinguishable. If someone will type the password from a sticky note, read it over the phone, or key it into a TV or terminal, just generate again until the result reads cleanly; every string is equally strong, so being picky costs nothing. For something even friendlier, the Easy preset on the strong password generator sticks to lowercase with the confusable characters removed, and a few extra characters of length buy back the smaller pool.
Setting up passwords for a whole batch of accounts, test users, or devices? The bulk password generator produces up to 1,000 at a time with the same letters and numbers preset, and you can download the list as a text file without anything leaving your machine.
Questions? Say less.
What is an alphanumeric password?
An alphanumeric password uses only letters and digits: lowercase a to z, uppercase A to Z, and 0 to 9. That gives 62 possible characters per position and no symbols, spaces, or punctuation, which is why systems with strict input rules accept it. A randomly generated alphanumeric password of 16 characters or more is strong enough for any account.
What does a 12 character alphanumeric password look like?
Something like Vk7mQ2xTr9Bp. That one is an example printed on a public web page, so never use it for a real account. A proper 12 character alphanumeric password is generated randomly, mixes upper and lower case with digits, and carries about 71 bits of entropy, enough to resist an offline attacker for roughly 5,000 years.
Are alphanumeric passwords weaker than passwords with symbols?
Only slightly, and length erases the gap. Each alphanumeric character carries about 5.95 bits of entropy versus 6.43 bits when symbols are included, a difference of about half a bit per character. Adding two extra characters more than makes up for an entire password's worth of missing symbols, so an 18 character alphanumeric password beats a 16 character one with symbols.
How long should an alphanumeric password be?
Use 16 characters. That gives about 95 bits of entropy and would take roughly 76 billion years to brute force at 10 billion guesses per second. NIST recommends at least 15 characters for accounts protected by a password alone, and CISA suggests 16 or more. If a password manager is filling it in for you, 20 characters costs nothing extra.
Does capitalization matter in an alphanumeric password?
Yes. Alphanumeric passwords are case sensitive on almost every system, and mixed case is where much of the strength comes from. Lowercase plus digits is a pool of 36 characters, while adding uppercase raises it to 62, about 0.78 extra bits per character. Over 16 characters that adds roughly 12.5 bits, about the same as making the password two characters longer.
Is this alphanumeric password generator safe to use?
Yes. Your browser generates each password itself using crypto.getRandomValues, the randomness source behind the Web Crypto API. Watch the DevTools Network tab if you like: generating triggers no traffic at all. Nothing is stored or sent anywhere, and the page keeps working with your internet switched off.