Are my generated passwords stored anywhere?

No. The password is generated entirely in your browser and never sent to any server. We do not log, store, or transmit your passwords. Once you close the tab, it's gone.

Should I use symbols in my password?

Symbols increase entropy but some services reject certain special characters. If a site rejects your password, regenerate without symbols — a longer all-alphanumeric password (20+ characters) is still very strong.

🔑

Password Generator

Q: Is this password generator truly random?

Yes. Passwords are generated using the Web Crypto API (crypto.getRandomValues()), which is cryptographically secure. This is the same source of randomness used by password managers and security software — far stronger than Math.random().

Q: How long should my password be?

At least 16 characters for important accounts. NIST guidelines (NIST SP 800-63B) recommend length over complexity — a 20-character password of mixed types is far harder to crack than a 10-character one with symbols.

Q: What does entropy mean?

Entropy measures how unpredictable a password is, expressed in bits. Each additional bit doubles the number of guesses required. 60 bits is generally considered strong for most accounts; 80+ bits is very strong and resistant to even nation-state level attacks.

Generate strong, random passwords instantly. Nothing is stored.

Length 16

Uppercase letters A–Z

Lowercase letters a–z

Numbers 0–9

Symbols !@#$%

Exclude ambiguous 0O1lI

🔒 Passwords are generated using crypto.getRandomValues() in your browser. Never sent anywhere.

What Makes a Strong Password?

Length is the single most important factor. A 20-character password made of letters and numbers is exponentially harder to crack than an 8-character password full of symbols. The NIST Special Publication 800-63B guidelines now explicitly recommend prioritising length over complexity rules like mandatory symbols or periodic forced resets.

The strength meter on this tool shows entropy in bits — a measure of how many guesses an attacker would need on average. Each additional bit doubles the guesses required:

Under 40 bits — Weak

Crackable in seconds with a modern GPU.

40–60 bits — Fair

Adequate for low-risk accounts, not for banking or email.

60–80 bits — Strong

Good for most accounts, including email and banking.

80+ bits — Very Strong

Computationally infeasible to brute-force with any current hardware.

How This Generator Works

Passwords are generated using the browser's Web Crypto API (crypto.getRandomValues()), which produces cryptographically secure random numbers — the same quality of randomness used by security software and password managers. This is significantly stronger than Math.random(), which is not suitable for security purposes.

The tool also guarantees that at least one character from each selected character set appears in the output — so if you enable uppercase, numbers, and symbols, the generated password will always contain at least one of each, with the remaining characters filled randomly from the combined pool.

Password Best Practices

Use a different password for every account. If one site gets breached, attackers try the same password everywhere (credential stuffing). Unique passwords contain the damage.
Store passwords in a password manager — Bitwarden (open-source, free), 1Password, or KeePassXC. Never in a spreadsheet or browser notes.
Enable two-factor authentication (2FA) on every account that supports it. Even a weak password becomes much harder to exploit with 2FA active.
16 characters minimum for any account you care about. Use 20+ for email, banking, and cloud storage — if those get compromised, everything else follows.
Avoid the "exclude ambiguous" option for digital passwords. It's useful for passwords you'll type from a printout, but it slightly reduces entropy for passwords you paste from a manager.
Never use personal information — names, birthdays, pet names, or keyboard patterns (qwerty, 123456). These are the first things any dictionary attack tries.

How to Use This Tool

Set your desired length using the slider (8–64 characters). For most accounts, 16–20 is the sweet spot.
Choose your character types — uppercase, lowercase, numbers, symbols. More types = higher entropy.
Tick Exclude ambiguous if you'll be typing the password manually (avoids confusing 0/O and 1/l/I).
Click Generate New or use the refresh icon to generate. The entropy strength updates instantly.
Click Copy Password to copy it to your clipboard, then paste it directly into your password manager.

Frequently Asked Questions

Is this password generator truly random?

Yes. Passwords are generated using crypto.getRandomValues() from the Web Crypto API, which is cryptographically secure. This is the same source of randomness used by password managers and TLS key generation — far stronger than Math.random().

Are my passwords stored or transmitted?

No. Passwords are generated entirely inside your browser. Nothing is sent to any server. We have no way to see, log, or retrieve any password you generate here. Once you close or refresh the tab, it's gone.

How long should my password be?

At least 16 characters for important accounts. NIST SP 800-63B now recommends length over mandatory complexity. A 20-character alphanumeric password is much stronger than an 8-character one with symbols forced in. For email and cloud accounts, go with 20+.

What does entropy mean on the strength meter?

Entropy (in bits) measures unpredictability. Each extra bit doubles the number of guesses an attacker needs. 60 bits requires over a quintillion guesses — already infeasible for most attackers. At 80 bits, even purpose-built cracking hardware would take longer than the age of the universe.

What if a website rejects my generated password?

Some sites have odd restrictions — maximum length limits, or blocking certain symbols. If a password is rejected, uncheck Symbols and regenerate. A 20-character uppercase + lowercase + numbers password still achieves 119 bits of entropy, which is extremely strong.

Should I use a passphrase instead?

Passphrases (random word combinations like "correct horse battery staple") are excellent for master passwords you need to memorise. For everything else — accounts where you paste from a manager — a random character password of 20+ characters is equally strong and arguably better since it has no semantic patterns an attacker could exploit.