Password Generator
Strong, random passwords using your browser's secure crypto — never sent anywhere.
—The Password Generator creates strong, random passwords right in your browser. It uses the Web Crypto API for cryptographically secure randomness — not Math.random — so every password is unpredictable. Choose the length and which character sets to include, watch the live strength estimate, and copy with one click. Passwords are generated locally and never transmitted or stored.
- ✓Cryptographically secure — uses the Web Crypto API
- ✓Adjustable length (4–64) and character sets
- ✓Option to exclude look-alike characters (I, l, 1, O, 0)
- ✓100% private — nothing is ever sent to a server
What Makes a Strong Password
Password strength comes from entropy — length multiplied by the size of the character pool. A longer password with a mix of lowercase, uppercase, numbers, and symbols is exponentially harder to guess or brute-force. For accounts that matter, aim for at least 16 characters, use a unique password per site, and store them in a password manager. This tool shows an entropy-based strength estimate as you adjust the options.
Why Math.random() Isn't Good Enough
Most hand-rolled password generators reach for Math.random()— but it's a pseudo-random number generator (PRNG) designed for speed and statistical distribution, not unpredictability. Its internal state can, in principle, be inferred from enough output, and it carries no security guarantee at all. This tool uses crypto.getRandomValues(), the Web Crypto API's cryptographically secure random number generator (CSPRNG) — the same primitive TLS and browser security features rely on — so every character is drawn from an unpredictable, non-reversible source.
How Much Entropy Do You Need?
Entropy is measured in bits, and it's length × log2(pool size) — every extra character multiplies the number of possible passwords, which is why length matters more than clever substitutions like @ for a.
| Length + character set | Approx. entropy | Crack-resistance |
|---|---|---|
| 8 chars, lowercase only | ~38 bits | Weak — crackable in hours on modern hardware |
| 12 chars, mixed case + digits | ~71 bits | Fair — acceptable for low-value accounts |
| 16 chars, all sets (this tool's default) | ~105 bits | Strong — infeasible to brute-force |
| 20+ chars, all sets | ~130+ bits | Very strong — exceeds any practical attack |
Generating a Password
- 1Set the length with the slider — 16+ characters is a strong default for most accounts.
- 2Choose which character sets to include: lowercase, uppercase, numbers, and symbols.
- 3Optionally enable "Exclude look-alikes" if you'll need to type or read the password manually.
- 4Click Copy, or click New for a fresh one — every password is generated independently.
- 5Save it in a password manager rather than memorizing or reusing it.
Common Uses
- ▸New account signups — Generate a unique, strong password for each service instead of reusing one.
- ▸API keys & secrets — Create high-entropy strings for tokens, database passwords, and app secrets.
- ▸Rotating credentials — Quickly produce a fresh password when rotating a compromised or expiring one.
- ▸Wi-Fi and device passwords — Make a long, random passphrase for a router or device that others will type once.
- ▸Temporary or shared passwords — Generate a one-time password for a shared account or a trial environment.
Password Manager, Not Memory
A truly random 16+ character password is not meant to be memorized — that's the point. Store generated passwords in a password manager (built into your browser, or a dedicated app) so you never have to reuse or weaken one for the sake of recall. The one password worth memorizing is your password manager's master password — make that one long, unique, and nowhere else.