Password Generator -- Secure Random Passwords

Generate strong, random passwords instantly

Cryptographically secure random passwords generated in your browser with the Web Crypto API. Nothing is sent to any server.

Password Length 16
Uppercase (A-Z)
Lowercase (a-z)
Digits (0-9)
Symbols (!@#$...)
Exclude ambiguous (0O1lI)
Number of Words 5
Capitalize words
Append digit
Generated Password
Generating...
--
--
Entropy (bits)
--
Crack Time (1B/s)
--
Pool Size
Character Composition
Generate Multiple

Examples

Standard Strong Password
kR#9xQ$2mPf!7vNa
16 characters, all types enabled
Entropy: ~105 bits
Crack time: billions of years
Good default for most accounts with a password manager.
Passphrase for Memorization
timber-knack-plume-oyster-crank
5 words, hyphen separator
Entropy: ~64 bits
Crack time: ~580 years
Easier to type and remember. Good for a master password.
Short Password (Minimum)
dK!3pR@9
8 characters, all types
Entropy: ~52 bits
Crack time: ~142 years
Meets most site requirements. Use 12+ when possible.

How This Generator Works

This tool uses crypto.getRandomValues(), the Web Crypto API built into modern browsers. It produces cryptographically secure pseudorandom numbers -- the same standard used by security libraries and encryption software.

1
Build a character set from your selected options (uppercase, lowercase, digits, symbols)
2
Request random 32-bit integers from crypto.getRandomValues()
3
Map each random value to a character in the set using modular arithmetic
4
Repeat until the password reaches the requested length

For passphrases, the same randomness source selects words from a curated word list (based on the EFF long word list).

Understanding Password Entropy

Entropy measures how unpredictable a password is, expressed in bits. The formula for a randomly generated password:

entropy = length x log2(charset size)

Each additional bit doubles the number of possible passwords:

BitsCombinationsCrack Time (1B/s)
40 bits~1 trillion~9 minutes
60 bits~1.15 x 10^18~18 years
80 bits~1.21 x 10^24~19 million years
100 bits~1.27 x 10^30~20 trillion years

A 16-character password using all character types (94 possible characters) has roughly 105 bits of entropy -- far beyond what brute-force attacks can reach.

Password vs. Passphrase

A random password like kR#9xQ$2mP is compact and maximizes entropy per character, but hard to memorize. A passphrase like timber-knack-plume-oyster-crank is longer but much easier to remember and type.

  • Use random passwords when a password manager fills them for you (most accounts)
  • Use passphrases when you need to type or memorize the password (master password, device login, full-disk encryption)

Both approaches are secure when the words or characters are chosen randomly. The key is randomness, not complexity. A 5-word random passphrase (~64 bits) is stronger than a human-chosen 10-character password with predictable patterns.

Frequently Asked Questions

How does this password generator work?
It uses the Web Crypto API (crypto.getRandomValues) to generate cryptographically secure random numbers, which are mapped to your chosen character set. All generation happens in your browser -- no passwords are sent to any server.
Is it safe to generate passwords online?
Yes, as long as the generator runs entirely in your browser (client-side). This tool uses JavaScript with the Web Crypto API and never transmits your password. You can verify this by checking the page source or using your browser's network inspector.
How long should a password be?
For most accounts, 16 characters with mixed character types provides strong security (~105 bits of entropy). For high-value accounts like banking or a password manager master password, use 20+ characters or a 6-word passphrase (~77 bits).
What is password entropy?
Entropy measures password randomness in bits. The formula is: entropy = length x log2(charset size). Each additional bit doubles the number of possible passwords. A password with 80+ bits of entropy is considered very strong against brute-force attacks.
Is a passphrase stronger than a random password?
A passphrase can be equally strong and much easier to memorize. A 5-word passphrase from a 7,776-word list has about 64 bits of entropy. For most uses, 5-6 random words provide solid security while being far easier to remember than random characters.
What does "exclude ambiguous characters" mean?
It removes characters that look similar in many fonts: 0 (zero) and O (capital O), 1 (one) and l (lowercase L) and I (capital I). This is useful when passwords need to be read aloud or typed manually from a screen.
Does this tool store or log my passwords?
No. All password generation happens entirely in your browser. No passwords, inputs, or usage data are sent to any server. Nothing is stored.
Should I use a password manager?
Yes. A password manager lets you use a unique random password for every account without memorizing them. You only need to remember one strong master passphrase. This eliminates password reuse -- the single most common cause of account compromise.

Related Tools

Privacy & Limitations

  • All calculations run entirely in your browser -- nothing is sent to any server.
  • Results are computed using standard formulas and should be verified for critical applications.

Related Tools

View all tools

ASCII Table

ASCII codes with decimal, hex, and character lookup

Decimal to Hex Converter

Convert decimal numbers to hexadecimal

UUID Generator

Generate random UUIDs instantly

Binary to Decimal Converter

Convert binary numbers to decimal

Base Converter

Convert numbers between bases 2 and 36

Data Size Converter

Convert between bytes, KB, MB, GB, and TB

Password Generator FAQ

How does this password generator work?

It uses the Web Crypto API (crypto.getRandomValues) to generate cryptographically secure random numbers, which are mapped to your chosen character set. All generation happens in your browser — no passwords are sent to any server.

Is it safe to generate passwords online?

Yes, as long as the generator runs entirely in your browser (client-side). This tool uses JavaScript with the Web Crypto API and never transmits your password. You can verify this by checking the page source or using your browser's network inspector.

How long should a password be?

For most accounts, 16 characters with mixed character types provides strong security (~105 bits of entropy). For high-value accounts like banking or a password manager master password, use 20+ characters or a 6-word passphrase.

What is password entropy?

Entropy measures password randomness in bits. The formula is: entropy = length x log2(charset size). Each additional bit doubles the number of possible passwords. A password with 80+ bits of entropy is considered very strong against brute-force attacks.

Is a passphrase stronger than a random password?

A passphrase can be equally strong and much easier to memorize. A 5-word passphrase from a 7,776-word list has about 64 bits of entropy, comparable to a random 10-character mixed-case password with digits and symbols. For most uses, 5-6 random words provide solid security.

What characters are excluded with the 'exclude ambiguous' option?

The 'exclude ambiguous' option removes characters that look similar in many fonts: 0 (zero) and O (capital O), 1 (one) and l (lowercase L) and I (capital I). This is useful when passwords need to be read or typed manually.

Does this tool store or log generated passwords?

No. All password generation happens entirely in your browser using client-side JavaScript. No passwords, inputs, or usage data are sent to any server. Nothing is stored.

Should I use a password manager?

Yes. A password manager lets you use a unique random password for every account without memorizing them. You only need to remember one strong master password. This eliminates password reuse, which is the most common cause of account compromise.

Request a New Tool
Improve This Tool