You are signing up for a new account. The website asks you to create a password. Your brain immediately goes to the same place it always does. Your dog’s name. Your birth year. Maybe an exclamation mark at the end if the site insists on a special character.
That password will be cracked in seconds. Not minutes. Seconds.
This is exactly the problem LastPass Password Generator was built to solve. It creates passwords that are genuinely impossible to guess, stores them so you never have to remember them, and fills them in automatically when you need them. You never have to think about passwords again.
Here is everything you need to know about using it, whether it is safe after the 2022 breach, and whether it is still the right choice in 2026.
What is the LastPass Password Generator?
The LastPass Password Generator is a free tool that creates random, cryptographically secure passwords based on parameters you set. Length, uppercase letters, lowercase letters, numbers, special characters. You choose the rules, and it generates a password that follows them instantly.
It is available as a browser extension, a mobile app, and a free online tool that works without even creating an account. Generated passwords can be saved directly to your LastPass vault or copied and used anywhere.
The generator does not create passwords the way humans do. It uses cryptographic randomness, meaning every character is independently random with no pattern, no logic, and no predictability. That is what makes the passwords it creates genuinely strong rather than just complicated-looking.
How to Use the LastPass Password Generator?
On Desktop or Browser
Install the LastPass browser extension from the Chrome, Firefox, Edge, or Safari extension store. Once installed, a LastPass icon appears in your browser toolbar.
When you land on any website’s signup or password change page, click inside the password field. A LastPass icon appears inside the field. Click it and select “Generate Secure Password.” A password appears instantly with your default settings applied.
To customize the password before using it, click the LastPass toolbar icon, go to Tools, and select Password Generator. A panel opens where you can:
- Set length from 8 to 99 characters
- Toggle uppercase letters on or off
- Toggle lowercase letters on or off
- Toggle numbers on or off
- Toggle special characters on or off
- Enable “easy to read” mode, which removes characters like 0, O, l, and 1 that look similar
The keyboard shortcut Alt+G opens the generator instantly without clicking anything. Once you are happy with the password, click Use Password, and LastPass automatically fills it in and offers to save it to your vault.
On Mobile (iOS and Android)
Open the LastPass app and tap the menu icon. Select Password Generator from the options. The same customization panel appears. Set your parameters, tap Generate, and copy the password to use it anywhere.
On iOS, LastPass integrates directly with the keyboard. When a password field is detected, a LastPass option appears above the keyboard. Tap it to generate and fill a password without leaving the app you are using.
On Android, the process is similar through the autofill accessibility service. Enable LastPass as your autofill provider in phone settings and it works automatically across every app.
Online Generator (No Account Needed)
Go to lastpass.com/features/password-generator directly in any browser. The full generator loads without requiring a login or account. Set your parameters, generate a password, and copy it. This works on any device, including ones where you have not installed LastPass.
This is useful when you are on a shared or public computer and need a strong password quickly without logging into anything.
What Actually Makes a Password Strong?
Most people think a strong password just needs to be complicated. It does not. It needs to be long and random.
LastPass checks every generated password against the zxcvbn library, an industry-standard password strength estimator originally developed at Dropbox. It scores passwords based on length, character variety, and the absence of common patterns and dictionary words.
The numbers make the case better than any explanation:
A 12-character password using only numbers takes about 25 seconds to crack with modern hardware. That same 12-character password using uppercase letters, lowercase letters, numbers, and special characters takes approximately 34,000 years to crack.
Length matters more than complexity. A 20-character password made of random lowercase letters is stronger than a 10-character password with every possible character type included. LastPass recommends a minimum of 15 characters for any password protecting an important account.
The default LastPass generator setting is 16 characters with all character types enabled. That is a good starting point. For banking, email, and any account tied to payment information, push it to 20 characters minimum.
Is LastPass Safe to Use in 2026?
This is the question everyone asks, and it deserves a completely honest answer.
LastPass suffered two significant security incidents in 2022 that affected every customer. In August 2022 a developer’s laptop was compromised and source code was stolen. Attackers used information from that first breach to target a DevOps engineer’s home computer in October 2022, this time through a vulnerability in the Plex media server the engineer had installed personally.
Using access gained from that second breach, attackers stole encrypted vault backups for LastPass’s entire customer base in December 2022.
Here is what was in those stolen backups. Passwords and usernames were encrypted, protected by each user’s master password, which LastPass never stores. Website URLs were not encrypted, meaning attackers could see every site a user had an account on, even without cracking the vault. Email addresses, billing addresses, and partial credit card numbers were also exposed.
The consequences were serious. The UK Information Commissioner’s Office fined LastPass £1.2 million in November 2025. LastPass settled a class action lawsuit for $24.5 million in December 2025. The FBI and Secret Service confirmed links between the stolen vaults and a $150 million cryptocurrency heist targeting users whose master passwords were weak enough to crack.
LastPass has since rebuilt its development environment from scratch, increased encryption iteration rounds to 600,000, added endpoint detection and monitoring, and brought in new security leadership.
So is it safe now? The honest answer is that it is significantly more secure than it was in 2022. But the breach happened, and the stolen vaults are still out there. If your master password was short or simple, those vaults are potentially still being worked on by attackers.
If you currently use LastPass with a strong master password of 16 or more random characters and have two-factor authentication enabled, your risk is manageable. If your master password was something like a word with a number at the end, change every important password immediately, regardless of which password manager you use going forward.
Should You Use LastPass or Switch to Something Else?
LastPass is functional, well-designed, and the password generator works exactly as advertised. But given the 2022 breach and the free plan restrictions, it is worth knowing what else exists before committing.
Bitwarden
Bitwarden is the strongest free alternative. It is open source, stores unlimited passwords on unlimited devices for free, has never had a known breach, and costs $10 per year for premium features. Security researchers can audit its code publicly, which is a level of transparency LastPass cannot offer. For anyone unwilling to pay for a password manager, Bitwarden is the clear recommendation.
1Password
1Password has no free plan, but its $2.99 per month individual plan includes Travel Mode which temporarily removes sensitive vaults from your device when crossing borders, a feature no competitor offers. It has undergone multiple independent security audits by Cure53 with no significant findings. For anyone who travels internationally, it is worth the price.
Keeper
Keeper is the most security-focused option, used heavily by enterprises and government agencies. More expensive but built to a higher security standard than most consumer tools.
If you are already using LastPass and have a strong master password with two-factor authentication enabled, switching is not urgent. If you are new to password managers, Bitwarden gives you everything you need for free without the breach history.
FAQs
Yes. The password generator is free and works online at lastpass.com/features/password-generator without creating an account. The browser extension generator is also free with any LastPass account, including the free tier.
Very strong. A 16-character password with mixed characters takes approximately 34,000 years to crack with current hardware. LastPass checks every generated password against the zxcvbn strength estimator before showing it to you.
No. LastPass uses zero-knowledge architecture, meaning your master password and vault contents are encrypted on your device before being sent to LastPass servers. LastPass never has access to your decrypted passwords.
Yes, in 2022. Encrypted vault backups were stolen for all customers. Passwords inside vaults remained encrypted, but website URLs, email addresses, and billing details were exposed unencrypted. LastPass settled a class action for $24.5 million and was fined £1.2 million by the UK ICO.
Bitwarden. It is open source, free on unlimited devices, has never had a known breach, and costs $10 per year for premium features. It is the most recommended free password manager among security professionals in 2026.
- Zero Trust Security Architecture: A Practical User Guide - April 14, 2026
- Open Banking API Platforms: Top 10 Picks for Fintech Developers - April 13, 2026
- GitHub Copilot Alternatives: Top AI Coding Assistants Ranked - April 12, 2026
