Password generator
Generate a strong random password using your browser's cryptographic random source. Nothing is logged, transmitted, or stored.
What this tool does
The password generator produces a random password using your browser's cryptographically secure random source (crypto.getRandomValues). You control the length and which character sets are included. The output never leaves your browser.
How strong is "strong"?
Password strength is measured in bits of entropy. Each bit doubles the number of possible passwords. A 50-bit password has roughly a quadrillion possibilities; an 80-bit password has more than a septillion. The "brute-force time" estimate above assumes ten billion guesses per second, which is roughly what a well-funded attacker with custom hardware can do today on offline hashes. Online services have far stricter rate limits.
For most accounts, anything above 60 bits is safe; above 80 bits is overkill. For things you want to protect for decades — backup encryption keys, password-manager master passwords — aim for 100+ bits.
Why random characters, not memorable words?
Memorable passwords ("correct horse battery staple") are great for the handful of things you have to type by hand. For everything else, use a password manager and let it generate fully random passwords like this tool produces. Random character strings are roughly twice as strong per character as random word strings — they pack more entropy into less space.
Which character sets to include
Some services don't accept symbols, or have weird rules about which ones. If a site rejects the generated password, turn off symbols or shorten the length and try again. Modern guidance (NIST SP 800-63B) explicitly says that composition rules don't actually improve security — a 30-character lowercase-only password is far stronger than an 8-character "complex" one. Length always wins.
Excluding ambiguous characters
The "Exclude ambiguous" toggle removes l, 1, I, O, and 0 — characters that look alike in many fonts. Useful when you'll be reading the password off a screen and typing it on another device. It reduces the alphabet slightly; compensate by increasing the length by one or two.
Why this is safer than a website
Many "password generator" sites generate the password on their server, log it, and send it back. Even if the site is well-intentioned, an interception attack can leak every password generated. This tool generates entirely in your browser using a primitive (crypto.getRandomValues) that is required by the Web Crypto API to be a cryptographically secure source. You can confirm this by opening the browser's developer tools and watching the Network tab as you generate — no outgoing requests carry the password.
Privacy
Nothing is logged, transmitted, or stored. The password is gone the moment you close the tab.
Frequently asked questions
Is this really secure?
crypto.getRandomValues, the same cryptographically secure random source used by browser HTTPS implementations. Generated passwords never leave your device.