Password Generator
Generate strong, random passwords. Configurable length, character classes, and bulk output. Powered by the Web Crypto API.
Last updated: April 2026 ยท Runs in your browser ยท No sign-up
Why randomness matters
A 'random' password isn't useful if the source of randomness is predictable. The Web Crypto API guarantees cryptographically-secure bytes, which means no attacker can replay the PRNG state to reconstruct your password. JavaScript's Math.random() is not secure โ this tool never uses it.
Entropy rule of thumb
- 8 chars, mixed classes: ~50 bits โ crackable offline in days
- 12 chars, mixed classes: ~75 bits โ years of offline cracking
- 16 chars, mixed classes: ~100 bits โ currently infeasible
- 20 chars: comfortable safety margin for the next decade
Frequently Asked Questions
Is this password generator secure?
Yes. It uses the browser's Web Crypto API (crypto.getRandomValues) โ the same cryptographic RNG used by TLS. Nothing is sent to a server.
How long should my password be?
16 characters with mixed classes is the 2026 minimum for ordinary accounts. Banking, email and password-manager master passwords should be 20+ characters or a long passphrase.
Should I avoid ambiguous characters like 0/O and 1/l/I?
Enable 'exclude ambiguous' if you'll type the password manually from a printout. Otherwise leave them in for maximum entropy.
Are generated passwords stored anywhere?
No. They're generated in your browser tab and discarded on reload. Copy into a trusted password manager immediately.
Password vs. passphrase โ which is stronger?
A random 16-char password and a 5-6 word Diceware passphrase have comparable entropy (~75-80 bits). Passphrases are easier to type; random strings are shorter on screen.