Generate strong random passwords -- private, never leaves your browser
Read more: Generate Strong Passwords Without Installing Anything
Password strength is measured in bits of entropy -- the amount of randomness in a password. Entropy is calculated as log2(pool_size) multiplied by the password length. A larger character pool and a longer password both increase entropy, but length has a greater impact. A 20-character lowercase password (~94 bits) is stronger than a 10-character password using all character types (~66 bits).
The key factors that make a password strong are: sufficient length (16+ characters recommended), randomness (generated by a computer, not chosen by a human), and uniqueness (never reused across accounts). Human-chosen passwords tend to follow predictable patterns that attackers exploit through dictionary attacks and rule-based cracking.
This password generator uses your browser's crypto.getRandomValues() API, a cryptographically secure pseudo-random number generator (CSPRNG). Unlike Math.random(), which uses a deterministic algorithm that can be predicted, the CSPRNG draws entropy from hardware sources like interrupt timing, mouse movements, and CPU noise.
The generator builds a character pool from your selected options, then picks characters at random from that pool. It ensures at least one character from each selected category is included, so the password always meets complexity requirements. The entire process runs in your browser -- no password is ever transmitted over the network.
A password generator creates strong, random passwords. A password manager stores and auto-fills those passwords so you do not need to remember them. They solve different problems and work best together: use a generator to create unique passwords, then store them in a password manager.
Popular password managers include Bitwarden, 1Password, and KeePassXC. Most include a built-in generator, but a standalone generator like this one is useful when you need a password outside your manager or want to verify the strength of a generated password independently.
| Use case | Minimum length | Recommended | Entropy (approx.) |
|---|---|---|---|
| General web accounts | 12 | 16 | ~105 bits |
| Email, banking | 16 | 20 | ~131 bits |
| Wi-Fi / WPA2 key | 20 | 24 | ~157 bits |
| Encryption keys | 24 | 32 | ~210 bits |
| Master password | 16 | 20+ | ~131+ bits |
These recommendations assume a password generated randomly from uppercase, lowercase, numbers, and symbols (~6.6 bits per character). Human-chosen passwords have significantly less entropy per character.
Yes. The tool runs entirely in your browser using the Web Crypto API. No passwords are sent to any server, stored in cookies, or logged anywhere. Your password settings (length and character preferences) are saved in localStorage for convenience, but generated passwords are never persisted. You can disconnect from the internet and the tool will continue to work.
Yes. The tool uses crypto.getRandomValues(), the browser's cryptographically secure random number generator. This is the same API used by TLS, WebAuthn, and other security protocols. It is seeded from hardware entropy sources and is not predictable.
Including symbols increases the character pool from ~62 to ~95 characters, adding about 0.6 bits of entropy per character. For a 16-character password, that is roughly 10 extra bits of entropy. While helpful, increasing password length by even 2-3 characters has a greater effect. If a site does not accept certain symbols, you can safely disable them and compensate with a slightly longer password.
For most online accounts, 16 characters is a strong default that provides over 100 bits of entropy with a full character set. For high-value accounts (email, banking, password manager master password), use 20+ characters. There is no practical downside to longer passwords when using a password manager.