Password Generator

Generate strong, cryptographically secure passwords directly in your browser — nothing sent to any server.

Length: 16

Uppercase (A–Z)

Lowercase (a–z)

Numbers (0–9)

Symbols (!@#…)

Exclude ambiguous characters (0 O l I 1)

Number of passwords to generate

Frequently Asked Questions

Passwords are generated using the browser's crypto.getRandomValues() API, which uses the operating system's cryptographically secure pseudo-random number generator (CSPRNG). This is the same source of entropy used by security-sensitive applications. No passwords are ever sent to a server.

A strong password is long (16+ characters), uses all four character classes (uppercase, lowercase, numbers, symbols), has no recognizable words or patterns, and is unique per account. Aim for at least 128 bits of entropy for high-security use cases — this tool shows the entropy in bits for each generated password.

16 characters is the recommended minimum for general accounts in 2024; aim for 20+ for financial, email, and administrative accounts. NIST SP 800-63B recommends allowing passwords up to at least 64 characters and not enforcing complexity rules that reduce effective length. Length matters more than complexity: a random 16-character lowercase-only password has ~75 bits of entropy (26¹⁶) — far stronger than a 8-character mixed-case password with symbols (~52 bits). For high-security systems, use 32 or more characters.

Entropy measures unpredictability in bits. Each bit of entropy doubles the number of possible passwords an attacker must try. Formula: entropy = length × log₂(alphabet size). A password from a 95-character alphabet (printable ASCII) at 16 characters has 16 × log₂(95) ≈ 105 bits of entropy. At 128 bits, a brute-force attack is computationally infeasible even with nation-state resources — it would take longer than the age of the universe on current hardware. This tool calculates and displays the entropy for your generated password.

Both can be strong; the choice is a usability vs memorability tradeoff. A random password (e.g., kX#9mLqP!r2vZw) maximizes entropy-per-character but is hard to memorize. A passphrase using the Diceware method (e.g., correct-horse-battery-staple) is longer in characters but easier to type and remember — 4 random words from a 7,776-word list gives ~51 bits per word or ~51 bits for 4 words... actually 4 words gives ~51 bits total (12.9 per word), so use 6+ words for strong security (~77 bits). For accounts you must type regularly, a passphrase wins; for everything else stored in a password manager, use a random password.

Use a reputable password manager — Bitwarden, 1Password, KeePass, or your browser's built-in vault. Password managers store each credential encrypted and auto-fill it, so you only need to remember one strong master password. Never reuse passwords across sites, never store them in plain-text files or spreadsheets, and never email passwords to yourself. Enable two-factor authentication (2FA) on your password manager account as an additional layer of protection.

NIST SP 800-63B (Digital Identity Guidelines) updated the conventional wisdom significantly. Key recommendations: allow passwords up to at least 64 characters; do not require periodic password changes unless there is evidence of compromise; do not impose composition rules (e.g., "must have a symbol") that users work around with predictable patterns; check passwords against a list of known-compromised passwords (Have I Been Pwned's dataset); support paste in password fields to enable password managers; use a CSPRNG for generated passwords.

Dictionary attacks are brute-force attacks that try common words, names, and phrases before random character combinations. A password like Summer2024! contains predictable patterns (capitalized word + year + symbol) that reduce the effective search space from billions of combinations to thousands. Attackers use pre-built lists of hundreds of millions of known passwords from data breaches. If any component of your password is a recognizable word, name, date, or common substitution (like @ for a), it is vulnerable. Always use passwords generated by a CSPRNG with no dictionary words.

Modern guidance from NIST and security researchers says: do not change passwords on a fixed schedule if they are strong and unique. Forced rotation leads users to make predictable small changes (Password1 → Password2). You should change a password immediately if: there is a data breach involving that service (check haveibeenpwned.com), you suspect it was seen by someone else, or you shared it temporarily. For most accounts, a long random unique password stored in a password manager is more effective than frequent rotation.

A password is a human-chosen (or generated) secret used to authenticate a person, typically transmitted with a username. An API key is a machine-generated token used to authenticate a program or service — it is typically 32–64 random characters (high entropy), transmitted in HTTP headers (Authorization: Bearer …), and rotated programmatically. Unlike passwords, API keys are never hashed on the server side by bcrypt — they are either stored as a hash (SHA-256) for comparison or split into an identifier + secret, similar to how a username + password pair works.

About This Password Generator

This free password generator creates cryptographically random passwords with configurable length and character sets — uppercase letters, lowercase letters, digits, and symbols. All generation happens in your browser using the Web Crypto API; no passwords are transmitted or stored.

Strong passwords are long (12+ characters) and drawn from a large character set. Cryptographic randomness (not Math.random()) is essential for security — the Web Crypto API ensures the output is unpredictable.

When to use this tool

Generating a strong master password for a password manager
Creating random passwords for test and service accounts
Meeting specific password policy character requirements
Producing credentials for database users or API services

Standards & References

NIST SP 800-63B — Password Guidelines

How the Password Generator Works

Every password is built from cryptographically secure random data — the same source of entropy used in security-critical software.

Build Character Pool

The selected character classes (uppercase, lowercase, digits, symbols) are combined into a pool string. Ambiguous characters (0 O l I 1) can be excluded to improve human readability.

Cryptographic Randomness

The browser's crypto.getRandomValues() fills a Uint32Array with OS-level random bytes. The value modulo the pool length selects a character — no predictable pattern is ever introduced.

Entropy Estimation

Strength is shown as entropy in bits: log₂(pool_size^length). A 16-char password from all classes has ~105 bits — far beyond what any brute-force attack can realistically reach.

Common Use Cases

User Account Credentials

Generate unique passwords for every account you create — email, banking, work systems. Using the same password across services means one breach exposes everything.

Service & API Passwords

Database passwords, SMTP credentials, and admin panel access should all use long random passwords (24+ characters) since they're stored in config and never typed manually.

Temporary Passwords

When resetting a user's password, generate a temporary one here and immediately prompt the user to change it on next login. 12-character alphanumeric is a good balance of security and usability.

Wi-Fi Passphrases

WPA2/WPA3 passphrases should be at least 12 characters. A longer alphanumeric passphrase (20–32 characters) typed once into devices is both strong and manageable.

Encryption Keys & Secrets

App secret keys, JWT signing secrets, and encryption passphrases benefit from maximum randomness. Use 32+ characters with all classes, or use the Random String Generator for hex-encoded keys.

Bulk Account Setup

Use the count selector to generate up to 20 unique passwords at once — useful when provisioning multiple user accounts or testing environments that each require distinct credentials.

Related Developer Tools

Bcrypt Generator

Hash Generator

UUID Generator

Random String Generator

View all articles

Why a Strong Password Isn't Enough: Credential Stuffing and the Case for Unique Passwords Everywhere

A password can be long, random, and never appear in any breach — and still get your account compromised, because the attack that actually breaks most accounts isn't guessing your password, it's trying a password that worked on a completely different site you used years ago. Here's how credential stuffing works, why password "strength" is irrelevant to this specific attack, and why a generator-plus-manager combination — making unique-per-site passwords practically achievable — directly closes this vector.

Jun 16, 2026

Passkeys: How FIDO2/WebAuthn Works and Why It's Replacing Passwords

Passkeys store a private key on your device and register only the public key with the website — there's nothing to phish, breach, or reuse. Here's how FIDO2/WebAuthn registration and authentication work, the difference between platform passkeys (iCloud, Google) and hardware keys, and the current state of passkey adoption.

Jun 13, 2026

Password Managers: How Zero-Knowledge Encryption Works and Which One to Choose

Credential stuffing is the main threat, and unique passwords are the defence — but only a password manager makes that practical at scale. Here's how zero-knowledge encryption works, Bitwarden vs 1Password vs KeePass compared, and how to set up recovery.

Jun 9, 2026

Why "P@ssw0rd1" Still Gets Cracked: What Password Strength Actually Means

Most passwords that "pass" complexity rules are still cracked in minutes. Here's how attackers actually work, what password entropy means, and why random generation beats human-chosen passwords every time.

Jun 7, 2026