Skip to content
Processing locally — files never leave your device

Password Generator

Generate cryptographically random passwords. Pick length, character classes (upper, lower, digits, symbols), and exclude lookalikes.

Estimated entropy
128.9 bits
Very strong
Bloggers — embed this widget for free

Add this tool to your own site with one line of HTML. Free forever — just keep the small credit link.

How to use Password Generator

  1. Drag the length slider to set how many characters you want. 16 is a strong minimum; 20 or more is better for stored passwords.
  2. Toggle the character classes — uppercase, lowercase, digits, and symbols — to match what the site allows.
  3. Optionally enable "exclude lookalikes" to drop 0/O and 1/l/I so the password is easy to read aloud or transcribe.
  4. Click the refresh button to generate a fresh password from a cryptographically secure random source.
  5. Check the entropy estimate, copy the password, and store it in a password manager — do not try to memorize it.

How to generate a password that is actually strong

The most reliable password is one no human chose. People reach for names, dates, and keyboard patterns that attackers model first; a computer drawing characters at random has no such bias. This generator does exactly that, using your browser's cryptographic random source, so the only thing standing between an attacker and your account is raw, unguessable entropy.

Where the randomness comes from

One detail decides whether the output is genuinely unguessable: the source of randomness. This generator samples each character with crypto.getRandomValues(), the operating system's cryptographic entropy surfaced to the browser. Picks are independent and uniform across the pool you enable, so no character leaks information about its neighbours.

Why length is the lever that matters

A short password bristling with symbols feels "complex," but feel is not entropy. The strength of a random password is length × log2(pool size) bits, and stretching the length scales that figure linearly while widening the alphabet barely nudges it. Compare:

Pool of all 4 classes (~86 chars): log2(86) ≈ 6.4 bits/char

12 characters: 12 × 6.4 ≈ 77 bits
16 characters: 16 × 6.4 ≈ 103 bits
20 characters: 20 × 6.4 ≈ 128 bits

Every character you add roughly doubles an attacker's work. That is why a long password from a smaller alphabet often beats a short one from a large alphabet — and why the length slider is the most important control here.

Choosing character classes

Enable as many classes as the target site accepts — uppercase, lowercase, digits, and symbols — because each one widens the per-character pool. Some legacy systems reject certain symbols; if a password is mysteriously refused, turn symbols off and add two characters of length instead. The "exclude lookalikes" option removes 0/O and 1/l/I for passwords you will read or type by hand, at a small cost to per-character entropy.

Hand it straight to a password manager

A 20-character random string is built to be forgotten, not memorized. Copy it into a password manager and let autofill carry it from there. The only credentials worth committing to memory are the two that gate everything else — your device unlock and the manager's master passphrase — and those belong in the passphrase generator, not here.

Related security tools

Frequently asked questions

How random are these passwords?
Characters come from crypto.getRandomValues(), the browser CSPRNG that browsers also use to seed TLS connections — not the throwaway Math.random() used for shuffling and animation.
How long should my password be?
Length is the single biggest lever on strength. Aim for 16+ characters for important accounts and 20+ for passwords a manager stores for you. Below 12 characters even a full symbol set is brute-forceable by a determined attacker; beyond about 32 you are comfortably past any practical threat.
Does length or character variety matter more?
Length, by a wide margin. Each extra character multiplies the search space, while adding a new character class only widens it once. A long password using just letters can be stronger than a short one packed with symbols — though combining both is ideal when a site permits it.
Why would I exclude lookalike characters?
When a password has to be read off a screen, dictated over the phone, or typed from a printed copy, the pairs 0/O and 1/l/I cause errors. Excluding them slightly shrinks the character pool (and thus entropy per character), so add a character or two of length to compensate if you turn it on.
Is the password sent anywhere?
No — the password is built and displayed without a single network request, so no server ever sees it. If you want belt-and-braces certainty, switch to airplane mode before generating; the slider and button keep working.
What do the entropy bits mean?
Entropy, in bits, is the base-2 logarithm of how many equally likely passwords an attacker would have to try. Each extra bit doubles the work. Under 40 bits is weak, 60 resists casual offline attacks, and 80+ is strong against a determined attacker — a target a 16-character all-classes password clears easily.
Should I reuse a strong password across sites?
Never. Reuse is the most common way accounts are compromised: when one site is breached, attackers replay your email and password everywhere else (credential stuffing). A unique random password per site contains the damage to a single account. A password manager makes this practical.
How do I remember a 20-character random password?
You should not have to. Generate it here, store it in a password manager, and let the manager fill it in. The only passwords worth memorizing are the few that unlock everything else — your device login and your manager's master password — and those are better as long passphrases.

More tools you might find useful in the same flow.

Built by Muhammad Tahir · About