Home/Dev Tools/Password Generator

Password Generator

Generate

Generate strong, secure passwords with custom length and character rules.

Length — 16 chars
Characters
Count
Input
Loading editor…
✨ AI Code Explanation
Mode

What Is a Password Generator?

A password generator is a tool that creates strong, random passwords by combining characters from a pool you define — uppercase letters, lowercase letters, numbers, and symbols. Good random password generators use a cryptographically secure pseudorandom number generator (CSPRNG) so that results are statistically unpredictable, not just shuffled from a weak source like Math.random(). This free password generator uses the browser's built-in crypto.getRandomValues() — the same API used by password managers like Bitwarden and 1Password.

Strong Password Generator Online — What This Tool Does

Generate strong, random, secure passwords entirely in your browser. Pick a length, toggle character sets (uppercase, lowercase, digits, symbols), optionally exclude ambiguous characters, and choose how many passwords to generate in one batch. Every result shows live entropy bits so you can see exactly how strong each password is. Free, no account, no logs, nothing transmitted.

How to Generate a Strong Password — Step by Step

  1. Set the length to at least 16 characters for regular accounts, 20+ for financial or admin accounts.
  2. Enable all four character sets: A–Z, a–z, 0–9, and !@# (symbols).
  3. Toggle No ambig if the password will be typed by hand (removes i/l/1/O/0).
  4. Use Count to generate multiple options and pick the one you prefer.
  5. Click Copy next to the password you want and paste it into your password manager.
  6. Click Generate at any time to create a fresh batch.

What Makes a Password Strong?

Password strength comes from two factors: length and character variety. A longer password with more possible characters per position means exponentially more combinations an attacker must try. The entropy display (in bits) captures this: length × log₂(charsetSize). Aim for at least 80 bits of entropy — equivalent to a 13-character password using all four character sets (charset size ~95).

How Long Should a Password Be?

  • 12–14 characters — minimum for non-sensitive accounts in 2025.
  • 16–20 characters — recommended for email, banking, social media.
  • 20+ characters — admin accounts, SSH keys, API secrets.
  • 32+ characters — service account passwords stored in a vault (length is free if a manager remembers it).

If you use a password manager, there is no reason to ever go below 20 characters.

Why crypto.getRandomValues() and Not Math.random()?

Math.random() is a pseudo-random number generator designed for simulations — not security. crypto.getRandomValues() uses the OS cryptographic entropy pool, seeded from hardware events. This tool also uses rejection sampling to eliminate modulo bias — every character has an exactly equal probability.

Common Password Mistakes to Avoid

  • Reusing passwords — a breach on one site exposes every site where you use the same password. Check your email at haveibeenpwned.com if unsure.
  • Predictable substitutions — replacing a with @ or o with 0 is well-known to cracking dictionaries.
  • Short memorable words — even with symbols, P@ssw0rd! has less than 30 bits of entropy and falls in seconds.
  • No password manager — keeping weak passwords because you "need to remember them" is avoidable. Use a manager, store 20+ character random strings.
  • Sharing via plain text — never email or Slack a password. Use a manager's share link or a one-time secret service.

Tips & Tricks

  • Batch generate — set Count to 10 or 20 to generate a list of options at once, then pick the one that reads cleanest.
  • No-ambiguous mode for printed credentials — enable No ambig when the password will be typed by hand from a printout or read aloud over a call. Removes i, l, 1, O, 0.
  • Symbols off for CLI passwords — some shells, environment files, and database connection strings choke on certain symbols. Disable symbols and bump length to 24+ to keep entropy high.
  • Treat the entropy number as truth — a 12-character password with all four sets enabled (~78 bits) beats a 20-character password using only lowercase (~94 bits) for some attack models. Length + variety wins.
  • Generate once per account — never reuse a generated password across services. Store each in a manager.

Related Tools

Is My Password Sent to a Server?

No. Every password is generated entirely in your browser using crypto.getRandomValues() — the Web Crypto API backed by your operating system's cryptographic entropy pool. No password is ever transmitted to our servers, logged, or stored. Closing the tab discards all generated passwords. Unlike server-side generators, there is no possibility of interception in transit and no provider log that could later be subpoenaed or breached.