Password Generator
Generate strong, random passwords with a CSPRNG. Pick length, character classes and how many to make at once.
Quick answer: Generate strong, random passwords with a CSPRNG. Pick length, character classes and how many to make at once.
Last updated
Frequently asked questions
- Is this generator cryptographically secure?
- Yes. It uses crypto.getRandomValues() — the Web Crypto CSPRNG that all major browsers ship — and never falls back to Math.random(). Rejection sampling avoids the modulo bias that would otherwise skew the character distribution.
- What length should I use?
- 16 characters with a mixed alphabet (letters + digits + symbols) clears 100 bits of entropy and is uncrackable with current technology. 20+ is sensible for vault master passwords or anything you can't easily rotate.
- Should I include symbols?
- If the site allows them, yes — they roughly double the search space per character. If a site rejects symbols, compensate with a longer password (24+ chars of letters + digits is still very strong).
- Why does each password contain at least one of every selected class?
- Many sites require it ("must contain a number and a symbol"). We seed one of each, then fill the rest randomly and shuffle, so passwords always pass policy without throwing away entropy.
- Are these passwords saved or sent anywhere?
- No. Generation is 100% in your browser — no server call, no logging, no telemetry. Closing the tab discards everything.
- Can I generate many passwords at once?
- Yes — set 'How many' (up to 20). Useful when bulk-creating service accounts or when you want to pick a memorable favourite from a few options.
- Does the strength meter test against breach databases?
- No. The meter scores entropy mathematically (Shannon entropy over the chosen alphabet) — it does not reach out to HaveIBeenPwned or similar. Random passwords from this tool will never appear in such databases anyway, because they have never existed before.
- Why not use a passphrase generator instead?
- Diceware-style passphrases are great for things you have to type. For everything you can paste from a password manager, a fully random 16+ character string is shorter and stronger.
- Are I/l/O/0 excluded automatically?
- No. Excluding lookalikes shrinks the alphabet and weakens passwords; if you need to read one aloud, generate a longer one and accept the visual ambiguity, or use a passphrase tool.
- Can I use this for API keys or tokens?
- Yes — for any opaque secret that just needs to be unguessable, an unstructured 32-character random string is fine. Note that some APIs require a specific prefix or checksum format; in that case use the platform's official key issuer.