Secure Password Generator
Generate cryptographically secure passwords with custom length and character sets.
Credential stuffing and database breaches are the single most common way personal accounts are compromised. Once a password leaks on one site, attackers try it against every major service — email, bank, cloud storage — assuming most people reuse passwords (and most do). The defense is boring and effective: a unique, high-entropy password for every account, stored in a password manager. This generator produces those passwords using cryptographically secure randomness, entirely in your browser.
What makes a password strong
Password strength is measured in entropy, typically expressed in bits. One bit of entropy doubles the number of guesses an attacker must make. The entropy of a random password depends on two things:
- Character pool size (
N) — how many symbols the generator could have picked from - Length (
L) — how many positions the password occupies
The formula is entropy ≈ L × log₂(N).
| Pool | Size | Bits per character |
|---|---|---|
| Digits only | 10 | 3.32 |
| Lowercase letters | 26 | 4.70 |
| Alphanumeric | 62 | 5.95 |
| Alphanumeric + symbols | 94 | 6.55 |
So a 12-character password from the full 94-character set has about 79 bits of entropy; a 16-character password has about 105 bits. For comparison, a 128-bit AES key is considered computationally unbreakable with current technology. Anything above 80 bits is effectively safe from offline brute-force; above 100 bits is safe against even fabulously resourced attackers.
Length beats complexity
A 20-character lowercase-only password (94 bits) is stronger than a 10-character password with mixed case, digits, and symbols (65 bits). The rule of thumb:
- Generated, stored in a manager: 16–20 characters, full character set. No need to memorize.
- Manually typed regularly (device login, master password): use a passphrase of 5–7 random words. Seven random words from a 7,776-word list (like EFF’s diceware list) gives 90 bits of entropy and is easier to type correctly than
J8#qL!nP@x2W. - Low-security sites where you must memorize: still aim for 12+ characters; consider the passphrase approach.
How this generator gets randomness
The browser offers two sources of randomness:
Math.random()— fast, but produces predictable pseudo-random sequences. Never use it for anything security-sensitive.crypto.getRandomValues()— the Web Crypto API, which delegates to the OS entropy pool (/dev/urandomon Linux,BCryptGenRandomon Windows,SecRandomCopyByteson macOS). Designed to be cryptographically secure.
This tool uses crypto.getRandomValues() for every character. Each position is selected uniformly at random from your chosen character set, with rejection sampling so there is no modulo bias (a subtle flaw where the first few characters of the alphabet are slightly more likely when N does not evenly divide the generator’s output range).
How to use this tool
- Choose a length. Aim for 16+ unless a site has a strict cap.
- Toggle the character classes: uppercase, lowercase, digits, symbols. For broader pools, keep them all on.
- Optionally toggle “exclude ambiguous characters” (
0,O,1,l,I) if you will ever need to transcribe the password by hand. - Click Generate for a new password; click Copy to put it on the clipboard.
Password hygiene beyond the generator
A strong password is necessary but not sufficient. The rest of the picture:
- Never reuse passwords across accounts. If one breach exposes a password, every reusing site is instantly compromised.
- Use a password manager. Built-in options (Apple Keychain, Google Password Manager, Microsoft Authenticator) and dedicated tools (1Password, Bitwarden, KeePassXC) all solve the problem. Picking one matters more than which one.
- Enable multi-factor authentication, especially on email. Your email account is the “master key” to most password resets; if it is protected only by a password, so is everything else.
- Prefer passkeys when available. Passkeys (WebAuthn) replace the password with a public-key pair stored in your device’s secure enclave, eliminating phishing and credential stuffing entirely.
- Audit breaches periodically via Have I Been Pwned or your password manager’s built-in breach alerts. Rotate any password that appears in a known dump.
Worked example
A site caps passwords at 12 characters and requires “mixed case, digits, and one symbol.” The character pool is 94, so entropy is 12 × log₂(94) ≈ 78.6 bits. That is within the safe-against-offline-brute-force zone but below the ideal. If the site allows it, bump to 16 characters (104 bits) and the password is effectively unbreakable.
Contrast this with a user-chosen password like Summer2024! — nominally 11 characters with mixed case, digits, and a symbol, but attackers use wordlists and masks that reduce the effective search space to tens of millions of guesses, crackable on a GPU in seconds.
Frequently asked questions
How often should I change my passwords?
Historical advice of “every 90 days” has been deprecated by NIST and most modern security guidance. Rotate passwords when they are known to be exposed (breach notification, shared by mistake, typed on a suspicious device). Arbitrary rotation encourages weaker, incrementally-tweaked passwords.
Is a long passphrase really as good as a random string?
Yes, if the words are randomly selected from a large list. correct horse battery staple (the XKCD example) is 44 bits — not great. Seven truly random words from a 7,776-word list is 90 bits — very good. Humans are extremely bad at picking “random” words, so use a tool or dice.
Can I trust that this generator is truly random?
The output comes directly from crypto.getRandomValues(), which is specified by the W3C and implemented by the browser vendors against the OS entropy pool. You can inspect the source of this page; the generation code is short and runs entirely client-side. No generated password is ever transmitted.
Should I avoid certain symbols?
Only when a service has a broken validator or you need to type the password into a system with a different keyboard layout. Most common “problem characters” (<, >, ", &, ;) are handled correctly by modern sites; when they are not, that is a red flag about the site’s security practices.
What about password “strength meters” on signup forms?
They are approximations, often wrong. A meter that rates P@ssw0rd1 as “strong” is relying on a character-class heuristic that attackers have defeated for a decade. Trust entropy math and a generator, not a green bar.
Privacy note
Every password is generated locally by your browser using the Web Crypto API. Nothing leaves your device; no password you generate here can be seen by anyone else.