Password Generator
Generate strong, cryptographically random passwords and passphrases — instantly, in your browser
Character Sets
Bulk Generate
How Passwords Are Generated
This tool uses the browser’s Web Crypto API (crypto.getRandomValues()) — the same cryptographic randomness source used by password managers and security software. Unlike Math.random(), which is a pseudo-random generator unsuitable for security, crypto.getRandomValues() provides cryptographic-quality entropy backed by the operating system’s secure random source (e.g. /dev/urandom on Linux, CryptGenRandom on Windows).
To avoid modulo bias — a subtle statistical flaw where some values are slightly more likely than others — this tool uses rejection sampling: it discards values that would create an uneven distribution and retries until a fair result is obtained.
Password vs. Passphrase: Which Should You Use?
Random Character Passwords
A 16-character password using all four character types (uppercase, lowercase, numbers, symbols) draws from a pool of approximately 95 characters. That gives:
95¹⁶ ≈ 4.4 × 10³¹ possible combinations
At one trillion guesses per second (the speed of modern dedicated hardware), exhaustive search would take 1.4 × 10¹⁸ years — far longer than the age of the universe.
Best for: API keys, system accounts, password manager master passwords, any context where you won’t need to type it manually.
Word-Based Passphrases
A passphrase like tiger-flame-harbor-bright is built from randomly selected words. With a 220-word list and 4 words:
220⁴ ≈ 2.3 billion combinations
While that’s weaker than a 16-character random password, passphrases are significantly easier to remember and type. For a 5-word passphrase: 220⁵ ≈ 500 billion combinations — strong enough for most purposes.
Best for: Passwords you type regularly, full-disk encryption passphrases, SSH key passphrases, any situation where memorability matters.
Password Strength Scoring
The strength meter evaluates passwords on five factors:
| Factor | Contribution |
|---|---|
| Length ≥ 8 | +1 |
| Length ≥ 12 | +1 |
| Length ≥ 16 | +1 |
| 3+ character types | +1 |
| 4 character types | +1 |
| Repeated characters (aaa, 111) | −1 |
| Sequential characters (abc, 123) | −1 |
| Common patterns (password, qwerty…) | −2 |
The final score (0–4) maps to: Weak → Fair → Good → Strong → Very Strong.
Character Set Options
| Option | Characters | Count |
|---|---|---|
| Uppercase | A–Z | 26 |
| Lowercase | a–z | 26 |
| Numbers | 0–9 | 10 |
| Symbols | `!@#$%^&*()_+-=[]{} | ;:’,.<>?/~“ |
Ambiguous character exclusion removes characters that look similar in many fonts: i, l, 1, L, o, 0, O. This is useful when you need to transcribe a password manually or display it in contexts where the font might cause confusion.
Best Practices for Password Security
Use a password manager. The ideal workflow: generate a unique random password for every account, store it in a password manager (Bitwarden, 1Password, KeePass), and never reuse passwords. You only need to remember one strong master password.
Enable multi-factor authentication. Even the strongest password can be phished. Adding a second factor (TOTP authenticator, hardware key) dramatically reduces the impact of a compromised password.
Never reuse passwords. When a service is breached (and they are), attackers run credential stuffing attacks — trying the leaked password on hundreds of other sites. Unique passwords contain the damage to a single account.
Longer beats complex. A 20-character random lowercase password has 26²⁰ ≈ 1.9 × 10²⁸ combinations. A 12-character password with all character types has 95¹² ≈ 5.4 × 10²³. Length wins — each additional character multiplies the search space by the charset size.
Privacy and Security
All password generation runs entirely in your browser. No passwords, options, or metadata are ever transmitted to a server. The tool has no analytics, no tracking pixels, and no third-party scripts that could intercept your generated passwords. You can verify this by inspecting the page source or checking your browser’s network tab — zero outbound requests during password generation.
Frequently Asked Questions
How many passwords can I generate at once? The bulk generator supports up to 100 passwords per click. Each uses the same options as the main generator. All results can be copied to the clipboard in one click as a newline-separated list.
Can I use a custom symbol set?
Yes. If you need to restrict symbols to a specific set (for example, some systems only accept !@#$), the tool uses your custom symbols when generating. If you leave the field empty, the full default symbol set is used.
What is the session history?
The tool keeps the last 5 generated passwords in memory during your browser session. This is stored only in JavaScript memory — it is never persisted to localStorage, sessionStorage, or cookies. Closing or refreshing the tab clears the history.
Is this better than the password my browser suggests? Browser-generated passwords are also cryptographically secure and are the recommended option when using the browser’s built-in password manager. This tool is useful when you need a specific length, character set, or format that the browser’s suggestion doesn’t support, or when you want a memorable passphrase.