Password Generator

Generate cryptographically random passwords in your browser using crypto.getRandomValues() — no passwords are transmitted or stored. Last reviewed 2026-06-19.

How password strength is measured

Strength is calculated from entropy — the number of bits of unpredictability in the password. Each character drawn from a pool of N possible characters contributes log₂(N) bits; a password of length L gives L × log₂(N) bits total.

Example: a 16-character password from a mixed pool of 86 characters (uppercase + lowercase + digits + symbols) has 16 × log₂(86) ≈ 102.8 bits — comfortably in the "Very Strong" range and infeasible to brute-force with any current hardware.

Password security tips

• Length beats complexity. A 20-character lowercase-only password is far stronger than an 8-character mixed-case password. Entropy scales linearly with length but only logarithmically with pool size.
• Use a unique password for every account. Credential reuse is the most common cause of real-world account takeovers. Password managers make this easy.
• Never use dictionary words or personal information — birthdays, names, and common word substitutions (p@ssw0rd) are the first things brute-force dictionaries try.
• Enable two-factor authentication (2FA) wherever possible. Even a compromised password cannot be used without the second factor.
• Store passwords in a manager (Bitwarden, 1Password, KeePass, Apple Passwords). Never write them down or reuse them.

Character sets used

Frequently asked questions

Is this password generator truly random?

Yes. This generator uses your browser's built-in crypto.getRandomValues() API, which draws entropy from the operating system's CSPRNG (cryptographically secure pseudo-random number generator). Unlike Math.random(), which is not designed for security, crypto.getRandomValues() is the standard used by password managers, TLS, and other cryptographic software.

Does my password leave the browser?

No. Password generation happens entirely in your browser using local CPU and OS entropy. Nothing is uploaded, transmitted or logged. The page also works offline once loaded.

How long should a password be?

Length is the single most important factor. A random 16-character password drawn from a mixed pool produces around 100 bits of entropy — effectively uncrackable by any current hardware. Most security experts recommend at least 16 characters for general use and 20+ for high-value accounts. Short passwords (8 characters or fewer) can be brute-forced in hours even with complex character sets.

What does "exclude ambiguous characters" do?

It removes characters that look similar in some fonts: uppercase I (looks like lowercase l or digit 1), uppercase O (looks like digit 0), lowercase l and digit 1, lowercase o and digit 0. Excluding them makes the password easier to read and transcribe if you ever need to type it manually. The entropy reduction is small — typically 3–5 bits — and usually worth the reduced transcription errors.

What is password entropy and how is it calculated?

Entropy, measured in bits, is a mathematical measure of unpredictability. A password drawn randomly from a pool of N distinct characters has log₂(N) bits of entropy per character; a password of length L therefore has L × log₂(N) bits total. As a practical guide: below 40 bits is weak (minutes to crack), 40–59 bits is fair (hours to days), 60–79 bits is strong (years with current hardware), and 80+ bits is very strong (infeasible with any foreseeable hardware).

Should I use a password manager?

Yes, strongly. A password manager (Bitwarden, 1Password, KeePass, Apple Passwords, or similar) stores your passwords encrypted behind a single master password. This lets you use a unique, long, random password for every site — eliminating credential reuse, which is the most common cause of account takeovers. Generate a fresh password here for each account and let the manager remember it.

Related tools

• UUID Generator
• SHA Hash Generator
• Base64 Encoder / Decoder
• URL Encode / Decode