Password Generator

Strong, random passwords using your browser's secure crypto — never sent anywhere.

Strength
20

The Password Generator creates strong, random passwords right in your browser. It uses the Web Crypto API for cryptographically secure randomness — not Math.random — so every password is unpredictable. Choose the length and which character sets to include, watch the live strength estimate, and copy with one click. Passwords are generated locally and never transmitted or stored.

  • Cryptographically secure — uses the Web Crypto API
  • Adjustable length (4–64) and character sets
  • Option to exclude look-alike characters (I, l, 1, O, 0)
  • 100% private — nothing is ever sent to a server

What Makes a Strong Password

Password strength comes from entropy — length multiplied by the size of the character pool. A longer password with a mix of lowercase, uppercase, numbers, and symbols is exponentially harder to guess or brute-force. For accounts that matter, aim for at least 16 characters, use a unique password per site, and store them in a password manager. This tool shows an entropy-based strength estimate as you adjust the options.

Why Math.random() Isn't Good Enough

Most hand-rolled password generators reach for Math.random()— but it's a pseudo-random number generator (PRNG) designed for speed and statistical distribution, not unpredictability. Its internal state can, in principle, be inferred from enough output, and it carries no security guarantee at all. This tool uses crypto.getRandomValues(), the Web Crypto API's cryptographically secure random number generator (CSPRNG) — the same primitive TLS and browser security features rely on — so every character is drawn from an unpredictable, non-reversible source.

How Much Entropy Do You Need?

Entropy is measured in bits, and it's length × log2(pool size) — every extra character multiplies the number of possible passwords, which is why length matters more than clever substitutions like @ for a.

Length + character setApprox. entropyCrack-resistance
8 chars, lowercase only~38 bitsWeak — crackable in hours on modern hardware
12 chars, mixed case + digits~71 bitsFair — acceptable for low-value accounts
16 chars, all sets (this tool's default)~105 bitsStrong — infeasible to brute-force
20+ chars, all sets~130+ bitsVery strong — exceeds any practical attack

Generating a Password

  1. 1Set the length with the slider — 16+ characters is a strong default for most accounts.
  2. 2Choose which character sets to include: lowercase, uppercase, numbers, and symbols.
  3. 3Optionally enable "Exclude look-alikes" if you'll need to type or read the password manually.
  4. 4Click Copy, or click New for a fresh one — every password is generated independently.
  5. 5Save it in a password manager rather than memorizing or reusing it.

Common Uses

  • New account signupsGenerate a unique, strong password for each service instead of reusing one.
  • API keys & secretsCreate high-entropy strings for tokens, database passwords, and app secrets.
  • Rotating credentialsQuickly produce a fresh password when rotating a compromised or expiring one.
  • Wi-Fi and device passwordsMake a long, random passphrase for a router or device that others will type once.
  • Temporary or shared passwordsGenerate a one-time password for a shared account or a trial environment.

Password Manager, Not Memory

A truly random 16+ character password is not meant to be memorized — that's the point. Store generated passwords in a password manager (built into your browser, or a dedicated app) so you never have to reuse or weaken one for the sake of recall. The one password worth memorizing is your password manager's master password — make that one long, unique, and nowhere else.

Frequently Asked Questions

Yes. It uses the browser's Web Crypto API (crypto.getRandomValues) for cryptographically secure randomness, and it runs entirely on your device. Passwords are never sent over the network or stored on a server.

For important accounts, use at least 16 characters — 20 or more is better. Length adds more strength than complexity, so a long password with mixed character sets is ideal.

Characters like I, l, 1, O, and 0 are easy to confuse when a password is read or typed manually. Excluding them helps for passwords you'll transcribe, at a small cost to the character pool.

No. Generation happens locally in your browser and nothing is saved or transmitted. Close the tab and the password is gone unless you saved it yourself.

Math.random() is a fast, statistical PRNG with no cryptographic security guarantee — its output isn't designed to resist prediction. This tool uses crypto.getRandomValues(), the CSPRNG that browsers use for security-critical randomness.

No — always generate a unique password per account. Reusing a password means one breached site compromises every account that shares it (a technique called credential stuffing).

Related Tools