Password Generator

Generate strong, random passwords. Everything runs in your browser — nothing is sent to a server.

Length

Character sets

Lowercase (a–z) Uppercase (A–Z) Numbers (0–9) Symbols (!@#$%…) Avoid ambiguous characters (Il1O0)

What makes a password strong

A password's strength is not about whether it contains a symbol or a capital letter — it's about entropy, the number of equally likely possibilities an attacker has to work through. Entropy is measured in bits, and each bit doubles the work. A password drawn at random from a set of S possible characters and L characters long has roughly L × log₂(S) bits of entropy. A 12-character password using lowercase, uppercase, digits and symbols (about 94 possibilities per character) carries roughly 78 bits — comfortably beyond what any current attacker can brute-force.

The word "random" is doing the heavy lifting there. A 16-character password you invented yourself by mashing a memorable phrase has far less entropy than 16 characters chosen by a computer, because human choices are predictable. That's why this tool generates every character from a cryptographically secure random source rather than letting you pick.

How this generator works

Every character is drawn using the browser's crypto.getRandomValues(), the same cryptographically secure pseudo-random number generator used for TLS keys and session tokens — not Math.random(), which is fast but predictable and must never be used for anything security-sensitive. The selection uses rejection sampling so that every character in your chosen set is equally likely; naive approaches that take a random byte modulo the alphabet size introduce a subtle bias toward the first few characters, and this avoids that. The generated password never leaves your device: there is no network request, no logging, and nothing stored.

Length beats complexity

If you have to choose between adding character types and adding length, add length. Going from 12 to 16 characters adds far more entropy than sprinkling in a symbol does, and longer passwords are often easier to handle in a password manager anyway. The old advice to force uppercase-lowercase-digit-symbol on short passwords came from an era before managers were common; modern guidance from NIST explicitly favors length and discourages mandatory composition rules and periodic forced rotation.

Passphrases vs. random strings

A random string like k9$Lm2@pQx7! maximizes entropy per character but is miserable to type or remember. A passphrase — several random words strung together, like correct-horse-battery-staple — trades a little density for a lot of memorability, and with enough words it reaches the same strength. The key word is again random: the words must be chosen by a machine from a large list, not picked because they mean something to you. For anything you store in a password manager, a long random string from this tool is the simplest strong choice. For the handful of passwords you must actually memorize (your manager's master password, your device login), a long passphrase is the better fit.

Practical advice

Use a password manager. The single biggest improvement you can make is to use a unique, long, random password for every account and let software remember them. Reuse is what turns one breached site into many.
Turn on two-factor authentication. Even a strong password can be phished. A second factor — an authenticator app or a hardware key — stops most account takeovers cold.
Length first. 16+ characters for anything that matters; 20+ for the accounts that protect everything else, like your email and your password manager.
Don't hand-edit generated passwords. Tweaking a random password to be "easier to type" almost always lowers its entropy. Generate, copy, store, move on.

Generate one now

Set the length, choose your character sets, and hit Generate. Copy it straight into your password manager — it's created locally and exists only in your browser until you do.