Password Generator
Create strong, random passwords right in your browser. Choose the length and character types — your password is generated locally and never sent anywhere.
How to use it
Set the length and pick which character types to include — uppercase, lowercase, numbers and symbols. A new password appears instantly; click the refresh button for another, or the copy button to grab it. The strength meter below the password estimates how hard it would be to guess. What actually makes a password strong is length and variety, not clever substitutions. Swapping "a" for "@" or "e" for "3" barely helps — attackers' cracking tools already check those patterns first. A longer password built from a wider pool of characters is harder to guess than a short one dressed up with symbols, because the number of possible combinations grows with both the length and the size of the character pool. This tool generates passwords using the Web Crypto API's crypto.getRandomValues(), the same cryptographically secure random number source browsers use for encryption. That's a meaningful difference from Math.random(), which is fast but predictable enough that it's not meant for anything security-related. Every character in your generated password is chosen independently and unbiased, so there's no pattern for software to learn from. Strength is usually measured in bits of entropy: roughly the length of the password multiplied by log2 of the character pool size. A 16-character password drawn from a 94-character pool (all uppercase, lowercase, digits and symbols) works out to about 16 × 6.55 ≈ 105 bits. That number is far beyond what any realistic brute-force attack could work through — it would take longer than the age of the universe with current hardware. Nothing you generate here is sent anywhere. The password is created entirely in your browser using client-side JavaScript, so it never touches a network request or a server log — refresh the page and it's gone, exactly as if you'd written it on paper and burned it. A few practical habits matter more than any single tool: use a different password for every account, so one leaked site doesn't compromise the rest. Store them in a password manager instead of memorizing or reusing variations — that's what actually makes long, random passwords usable day to day. And turn on two-factor authentication wherever it's offered; it protects you even if a password does eventually leak.
Frequently asked questions
- Are these passwords really random?
- Yes. Each character comes from the Web Crypto API's crypto.getRandomValues(), the cryptographically secure random source browsers use for encryption — not Math.random(), which is predictable and unsuitable for security. Every character is chosen independently with no bias toward any pattern.
- Is it safe to generate passwords online here?
- Yes. Generation happens entirely in your browser using JavaScript that runs on your device — the password is never sent to a server, logged, or stored anywhere. Reload the page and it's gone, the same as if it never existed outside your screen.
- How long should my password be?
- At least 16 characters for most accounts, using a mix of uppercase, lowercase, numbers and symbols. That gives over 100 bits of entropy, well beyond brute-force reach. For especially sensitive accounts (email, banking, your password manager itself), go to 20 or more.
- Should I reuse a strong password across sites?
- No. A strong password only protects the account it's used on — if one site is breached and you've reused it, every other account with that password is exposed too. Generate a unique password per site and keep track of them with a password manager rather than reusing even a very strong one.