Secure Password Generator
Build strong, unpredictable passwords with the length and character sets you choose. Generated locally in your browser with the Web Crypto API โ nothing is ever transmitted.
About this password generator
A strong password is one an attacker cannot guess and cannot brute-force in any reasonable amount of time. This generator gives you both: it draws every character from a cryptographically secure random source and lets you make passwords long enough to resist even large-scale guessing.
Under the hood it uses crypto.getRandomValues(), the browser's built-in cryptographic random number generator, together with rejection sampling so that every character in your selected sets is equally likely. That matters โ the more common Math.random() is not designed for security and can be predictable, so we never use it here.
Your password is generated in your own browser and displayed only on this page. It is never sent to a server, never logged, and never stored. Refresh the page and it is gone forever. You can turn off your internet connection and this tool still works.
Choosing good options
- Length beats complexity. A 20-character password is dramatically harder to crack than an 8-character one, even with fewer symbols.
- Use a password manager. Generate a unique password for every site and let the manager remember them โ you never need to memorise or reuse anything.
- Avoid ambiguous characters only when you must type or dictate a password by hand; it shrinks the pool slightly.
The strength meter shows estimated entropy in bits โ roughly the base-2 logarithm of how many possible passwords your settings could produce. More bits means exponentially more guessing for an attacker. If security online interests you, our guide on what TLS/SSL is explains how your credentials are protected in transit, and browser fingerprinting covers other ways sites can identify you.
Need other secrets? Try our token & API key generator or the UUID generator.
Frequently asked questions
Are these passwords generated on a server?
No. Every password is created entirely inside your browser using the Web Crypto API (crypto.getRandomValues). Nothing is sent over the network, logged, or stored anywhere. You can even disconnect from the internet and the tool keeps working.
How random are the passwords?
They use crypto.getRandomValues, a cryptographically secure random number generator built into modern browsers. Characters are selected with rejection sampling so every character in your chosen sets is equally likely โ there is no bias, unlike Math.random.
How long should my password be?
For most accounts, 16 characters mixing upper, lower, digits and symbols is very strong. For high-value accounts or master passwords, use 20 or more. Longer is always stronger โ the strength meter shows the estimated entropy in bits so you can compare choices.
What does "avoid ambiguous characters" do?
It removes characters that are easy to confuse when typed or read aloud, such as 0 and O, or 1, l and I. This is handy for passwords you will copy by hand, though it slightly reduces the character pool.
Want the theory? Read the guides โ ยท Visit the zoo โ