Password Generator

Create strong, random passwords right in your browser. Nothing is sent anywhere or stored — every password is generated locally with cryptographic randomness.

Your Password

Strength
Entropy

What Makes a Password Strong

Strength comes from entropy — the number of equally likely possibilities an attacker must try. Entropy grows with length and character variety: each character drawn from a 94-symbol set adds about 6.6 bits. A random 16-character mixed password has ~105 bits of entropy; at a trillion guesses per second, cracking it would take longer than the age of the universe.

  • Under 40 bits: weak — crackable in hours
  • 40-60 bits: fair — resists casual attacks only
  • 60-80 bits: strong — fine for most accounts
  • 80+ bits: excellent — suitable for password managers and encryption keys

Is This Generator Safe?

Yes. Passwords are produced by crypto.getRandomValues(), the same cryptographically secure random source browsers use for encryption — not the predictable Math.random(). Generation happens entirely on your device: the password never travels over the network, is never logged, and disappears when you leave the page.

Password Hygiene That Actually Matters

  • Unique per site: reuse is the #1 cause of account takeovers — one breached site exposes every account sharing that password.
  • Use a password manager: it makes unique 20+ character passwords effortless.
  • Length beats complexity rules: a 20-character password with two character types beats a contorted 8-character one.
  • Turn on 2FA: two-factor authentication protects you even if the password leaks.
  • Don't rotate without reason: modern guidance (NIST) says change passwords when compromised, not on a schedule.

Frequently Asked Questions

Is this password generator safe to use?

Yes. Passwords are generated entirely in your browser using the cryptographically secure Web Crypto API. Nothing is sent to or stored on any server.

How long should a password be?

At least 16 characters for important accounts. Each extra character multiplies the time needed to crack it — a random 16-character password with mixed character types would take centuries to brute-force.

Should I use a different password for every site?

Yes. Reused passwords mean one data breach exposes all your accounts. Use a password manager to generate and store a unique password per site.

What does "exclude look-alikes" do?

It removes characters that are easy to confuse when reading or typing a password manually: lowercase l, the digit 1, uppercase I, uppercase O, and zero. Use it for passwords you'll ever need to type by hand or read over the phone.