Password Generator

Generate strong, random passwords using your browser's cryptographic random source. Choose the length and character sets, see the entropy in bits, and copy the result — passwords are created on your device and never transmitted.

Runs in your browser — your files never leave your device

What makes a password strong

Strength is measured in entropy — the number of equally-likely possibilities an attacker must try. Each additional character multiplies the search space, which is why length beats complexity: a 16-character lowercase-plus-digits password (~82 bits) is far stronger than an 8-character everything password (~52 bits).

This generator uses crypto.getRandomValues — the browser's cryptographically secure random source — with unbiased sampling, and guarantees at least one character from each set you select. As a rule of thumb: 45 bits is weak, 70+ bits is strong for online accounts, and 100+ bits is effectively uncrackable with current hardware.

Never reuse passwords across sites; a password manager plus unique generated passwords is the combination that actually protects accounts. Because generation happens locally, nothing you create here ever touches a network.

How to use Password Generator

  1. 1Set the length (12+ recommended; 16 is a strong default).
  2. 2Choose which character sets to include, and optionally avoid look-alike characters.
  3. 3Check the entropy readout — aim for 70+ bits.
  4. 4Copy a password, or generate several and copy them all.

Frequently asked questions

Are these passwords generated on a server?

No. Passwords are generated on your device with the Web Crypto API and are never sent anywhere — you can verify no network requests occur in your browser's DevTools.

How long should my password be?

16 characters with mixed sets is a strong default (100+ bits). Use at least 12 for anything that matters, and longer for critical accounts.

What does the entropy number mean?

It's the size of the search space in bits — each extra bit doubles the number of guesses an attacker needs. 70+ bits is strong for online accounts.

Why avoid look-alike characters?

Characters like I, l, 1, O and 0 are easy to confuse when typing a password manually. Excluding them slightly reduces entropy but prevents lockouts from misreading.