Password Generator
Generate secure, cryptographically random passwords with customizable options. Your passwords never leave your browser.
24
1
Generated Password
Click generate to create password
Why Use a Password Generator?
Humans are systematically bad at creating random passwords. We gravitate toward patterns, dates, words, and predictable substitutions (like @ for a or 3 for e). Attackers know these patterns and exploit them in targeted attacks. A true random generator eliminates human bias entirely.
This tool uses crypto.getRandomValues() — the Web Crypto API built into your browser — to generate cryptographically secure random passwords. Your passwords are generated locally and never transmitted over the network or stored anywhere.
How to Create a Strong Password
- Set length to at least 16 characters for important accounts. Use 24+ for master passwords.
- Enable all character types: uppercase, lowercase, numbers, and symbols.
- Click Generate — click multiple times and pick a result you like.
- Store it immediately in a password manager. Never reuse it.
Password Strength: Entropy Explained
Password strength is measured in bits of entropy. Each additional bit doubles the search space for an attacker. Here's how the math works:
- Lowercase only (26 chars), 8 length — 37.6 bits — crackable in seconds with modern hardware
- Mixed case + numbers (62 chars), 12 length — 71.5 bits — takes years with dedicated hardware
- Full charset (95 chars), 16 length — 105 bits — computationally infeasible to brute force
- Full charset (95 chars), 24 length — 157 bits — beyond any foreseeable computing capability
Password Manager Recommendations
- Bitwarden — Open source, free tier, self-hostable. Recommended for most users.
- 1Password — Polished UX, strong team features, paid.
- KeePassXC — Fully offline, open source, database stored locally.
- Apple Keychain / iCloud Keychain — Good for Apple-only users, built-in and free.
Frequently Asked Questions
For most accounts: 16 characters minimum. For email, banking, and password manager master passwords: 24+ characters. Length matters more than complexity — a 20-character lowercase-only password is stronger than a 10-character password with all character types. NIST guidelines (SP 800-63B) now recommend length over complexity requirements.
Yes, when done correctly. This tool uses
crypto.getRandomValues() — a cryptographically secure pseudorandom number generator (CSPRNG) seeded by the operating system's entropy source. It's the same API used by password managers and security tools. The key safety requirement is that generation happens locally with no network transmission, which this tool guarantees.Passphrases (random word combinations like "correct horse battery staple") are easier to remember and can be very strong. A 4-word passphrase from a 7,776-word list (Diceware) provides about 51 bits of entropy — reasonable but not exceptional. A 16-character random password with full character set provides ~105 bits. For accounts stored in a password manager, use random passwords. For a master password you must memorize, a 6-7 word Diceware passphrase is excellent.
Poorly designed systems sometimes restrict special characters because they fail to properly sanitize input. If a site rejects your generated password, either use the tool's "exclude ambiguous characters" option to try simpler characters, or reduce the character set. Note: sites that restrict password length to under 16 characters or block special characters are indicating poor security practices.
Functionally very similar — both use CSPRNGs to generate random passwords. A password manager's generator has the advantage of immediately saving the password. This tool is useful when you need to generate passwords outside a password manager context, share a tool with a team, or verify how strong a given configuration is before committing to a password manager setup.