Password Generator
Generate cryptographically strong random passwords
How to Password Generator Online
Generate cryptographically strong random passwords entirely in your browser.
- Drag the length slider to your desired number of characters (16–24 is a reasonable target for most accounts).
- Pick which character classes to include: lowercase, uppercase, digits, and symbols. At least one must be selected.
- Optionally enable "Exclude similar characters" if you will need to type the password manually.
- Click "Generate new password" — a fresh password appears in the field at the top.
- Watch the entropy meter: 80+ bits is the modern bar for offline-attack resistance.
- Click "Copy" to put the password on your clipboard, then paste it into your password manager.
About Password Generator
Strong passwords are the cheapest, highest-impact security control most people have access to. A password generated by this tool with the default settings — 20 characters, all four classes — carries roughly 130 bits of entropy. That is the same magnitude as a 128-bit symmetric encryption key: brute-forcing it offline at a trillion guesses per second would take longer than the age of the universe. The hard part is not generating the password; it is storing it somewhere you will not lose.
The generator uses three pieces of standard cryptographic plumbing. First, every random byte comes from `crypto.getRandomValues`, the WebCrypto entropy source. This is the same primitive used to seed real cryptographic keys and is backed by the operating system's CSPRNG. Second, characters are drawn with **rejection sampling** rather than a modulo of the raw random integer — this eliminates the subtle bias that older "random % N" generators have. Third, when you enable multiple character classes, the result is guaranteed to contain at least one character from each class so it passes the typical "must contain a digit and a symbol" rules without you having to regenerate.
A few practical notes. The character set includes the 26 lowercase letters, 26 uppercase, 10 digits, and 28 punctuation marks for a 90-character alphabet (94 with all the more exotic symbols included; this tool uses a slightly trimmed list to dodge characters that some legacy systems escape strangely). The "Exclude similar characters" toggle removes the eight glyphs that look alike in common fonts — `i l 1 L I` and `0 O o` — which is useful when you have to read a password aloud or type it from a printed page. It costs about 0.2 bits of entropy per character, which is irrelevant for a 16+ character password.
Entropy is the only honest measure of password strength. The classic password strength meters that grade based on "contains a number" or "contains a symbol" are essentially decorative — they cannot tell the difference between `P@ssw0rd1` and a truly random 9-character string, even though the first appears in every leaked-password dictionary. The bar in this tool computes `log2(charsetSize) × length` and grades against the current consensus: under 28 bits is "very weak" (cracked instantly), 80–100 bits is "strong" (resistant to any realistic offline attack), and above 100 bits is "very strong" with margin for future hardware.
Everything happens locally. The page does not call out to a server to fetch random bytes, does not log generated passwords, and contains no telemetry beyond the site-wide error reporter (which only fires on uncaught exceptions, never on password content). You can verify by opening DevTools and watching the network panel while you generate a few passwords.
Related Tools
Frequently Asked Questions
Is this actually random, or is it pseudo-random?
It uses `crypto.getRandomValues`, which is the cryptographically-secure random source provided by your browser. On modern operating systems this draws from the OS entropy pool (typically /dev/urandom on Unix, BCryptGenRandom on Windows). It is the same primitive used by WebCrypto for generating real encryption keys.
Why does the tool reject some random numbers instead of using `random % charsetSize`?
`random % N` introduces modulo bias whenever `N` does not evenly divide the random range. The bias is tiny for a single password but becomes detectable when you generate many. The generator uses rejection sampling: it discards values above the largest multiple of `N` that fits in 32 bits, which keeps every character of the charset equally likely.
What is "entropy in bits" and how big does it need to be?
Entropy is `log2(charset size) × length`. A 12-character password from the 94 printable ASCII characters has about 79 bits of entropy. The current rule of thumb for offline-attack resistance is 80 bits or more; 100+ bits is comfortable margin against future hardware. The strength bar uses this calculation, not the "uses a symbol = strong" heuristic that password meters got wrong for years.
Why does "Exclude similar characters" lower entropy?
Because it shrinks the charset. Dropping `i l 1 L I 0 O o` removes 8 characters from the 62-character alphanumeric set — about 0.2 bits per character. For a 20-character password that costs you ~4 bits total, which is well within safe margin. Turn it on when you will be typing the password from a printout or reading it over the phone.
Does the password contain at least one of each selected character class?
Yes. The generator places one character from each enabled class first, fills the rest randomly from the combined alphabet, and then shuffles. This guarantees that systems with rules like "must contain at least one uppercase letter and one digit" accept the result.
Is the generated password sent anywhere?
No. Generation happens entirely in your browser. Nothing is logged, transmitted, or stored. Close the tab and the password is gone.
Should I use this for high-value accounts (banking, email)?
Yes, with one caveat: store it somewhere durable before you close the tab. A password manager (1Password, Bitwarden, KeePassXC, the one built into your browser) is the right place. The generated password is only as safe as the place you keep it.