Password Generator
GeneratorsGenerate strong, cryptographically secure random passwords. Free, private — all processing in your browser.
The Password Generator creates strong, random, cryptographically secure passwords that resist brute-force attacks, dictionary attacks, and credential stuffing. With a single click you get a unique password that meets the length and complexity requirements of any modern account — web apps, cloud consoles, email, databases, SSH keys, Wi-Fi routers, or disk encryption. Every password is generated locally in your browser using the Web Crypto API (crypto.getRandomValues), the same cryptographic random source used by TLS and modern browsers for key generation. Your passwords never touch our servers.
Password reuse is the single biggest cause of account takeovers. When one site gets breached, attackers try the leaked credentials on every other service. A unique, random password per account — stored in a reputable password manager like 1Password, Bitwarden, or your browser's built-in manager — eliminates this entire class of attacks. Use this tool to generate one password at a time, or bulk-generate 100 passwords at once for batch provisioning. Customize length (8 to 128 characters), character classes (uppercase, lowercase, digits, symbols), exclude ambiguous characters (0/O, 1/l/I), or switch to passphrase mode for memorable human-friendly passwords.
Password Generator — key features
Cryptographically secure randomness
Uses Web Crypto API (crypto.getRandomValues), the same CSPRNG used by TLS. Not Math.random. Suitable for real cryptographic use.
Customizable length
Generate passwords from 8 to 128 characters. Longer is always stronger. We recommend 16+ for most accounts, 20+ for critical accounts.
Character class toggles
Include or exclude uppercase letters, lowercase letters, digits, and symbols. Every enabled class guarantees at least one character of that type in the output.
Exclude ambiguous characters
Remove visually similar characters (0/O, 1/l/I, {, }, ``, etc.) to avoid transcription errors when typing passwords manually or reading them from printed lists.
Passphrase mode
Generate human-memorable passphrases using Diceware-style word lists. 6 words ≈ 77 bits of entropy — strong and easy to remember.
Bulk generation
Generate up to 100 unique passwords at once. Useful for provisioning multiple service accounts, test fixtures, or one-time access credentials.
Real-time strength meter
See the estimated entropy (in bits) and crack time for every generated password. Know exactly how strong your password is.
Copy and download
Copy to clipboard with one click, or download bulk-generated passwords as a CSV or TXT file for secure storage in your password manager.
No tracking, no logging
Passwords are generated entirely in your browser. Nothing is transmitted, stored, or analyzed. Open the Network tab in DevTools to verify zero outbound requests.
How to use the Password Generator
- 1
Choose password length
Set the length slider. 12 characters minimum, 16+ recommended for most accounts, 20+ for high-value accounts (banking, email, crypto wallets).
- 2
Select character classes
Enable uppercase, lowercase, digits, and symbols. More classes means more entropy per character. For systems that reject symbols, disable them — but increase length to compensate.
- 3
Exclude ambiguous characters if needed
Enable this if you will ever need to read the password off a screen or printed page. Skips characters that look similar in common fonts.
- 4
Click Generate
A new password appears instantly. Click Generate again for a different one. The strength meter shows how resistant it is to brute force.
- 5
Copy to your password manager
Click Copy and paste into your password manager (1Password, Bitwarden, KeePass, etc.). Never memorize and reuse — let the manager store one unique password per account.
- 6
For passphrases, switch to passphrase mode
If the account allows long passwords and you need to type it occasionally, use passphrase mode. 6 words separated by hyphens is typical.
Common use cases for the Password Generator
Personal and workplace accounts
- →Email accounts: Email is the master key to most other accounts (password reset). Use 20+ character passwords with all character classes.
- →Banking and finance: Banks, brokers, and crypto exchanges should have their own unique 20+ character password and two-factor authentication.
- →Social media: Compromised social accounts can be used for phishing your contacts. Use 16+ characters, unique per platform.
- →Work SaaS accounts: Slack, Notion, Jira, GitHub, Google Workspace — each needs a unique password. Use your company's SSO or password manager.
Server and infrastructure
- →SSH passphrases: When generating SSH keys with ssh-keygen, protect the private key with a strong passphrase.
- →Database root passwords: PostgreSQL, MySQL, Redis — root/admin accounts need 20+ character random passwords stored in a secrets manager.
- →Wi-Fi WPA3 passwords: Home and office Wi-Fi. 20+ characters or a 4-6 word passphrase.
- →Encryption keys: BitLocker, FileVault, LUKS, VeraCrypt — full disk encryption keys. Use 20+ characters minimum.
Development and DevOps
- →API keys for development environments: Staging, QA, and development API keys should be rotated regularly and stored in secret managers (AWS Secrets Manager, HashiCorp Vault).
- →Service account passwords: Machine-to-machine accounts need strong random passwords too — but prefer API keys and short-lived tokens where possible.
- →Temporary one-time passwords: Account provisioning workflows often require temporary passwords sent to users, which they must change on first login.
- →Test data and fixtures: Use random passwords in test fixtures (never real production passwords) to avoid accidental reuse.
Memorable passphrases
- →Master password for password manager: The one password you must remember. A 6-word Diceware passphrase is strong and memorable.
- →Laptop login password: You type it often, so use a passphrase you can type fluently instead of random characters.
- →Password to read aloud: If someone needs to tell a password over the phone, passphrases are far easier than random strings.
Password Generator — examples
16-character strong password
Balanced length for most accounts.
Settings: 16 chars, all classes, no ambiguous
xK7#nP9$wE3@vR2m
20-character critical-account password
Recommended for email, banking, admin accounts.
Settings: 20 chars, all classes
qP$3vN7!xK2@mR9#bL4t
32-character password for encryption keys
Used for disk encryption, master keys, production secrets.
Settings: 32 chars, all classes
F7q!Kp3#Nm9@vR2$xL4&bT8*cJ6Y+wE1n
Passphrase mode (6 words)
Memorable, strong — good for master passwords.
Settings: passphrase, 6 words, hyphen separator
mountain-orbit-glass-whisker-radar-turmeric
PIN-style numeric password
For systems that only accept digits (old ATMs, some voicemail).
Settings: 8 chars, digits only
47295831
Pronounceable (no symbols, mixed case)
For systems with strict character rules.
Settings: 14 chars, letters + digits, no symbols
Kx7Pn3Mv2Lqr8T
Technical details
This tool uses the Web Crypto API (window.crypto.getRandomValues()) — a cryptographically secure pseudo-random number generator (CSPRNG) available in all modern browsers. It is seeded by the operating system's entropy pool (hardware random number generators, timing jitter, user input) and is suitable for cryptographic purposes including password generation, key generation, and session token creation. It is not the same as Math.random(), which is fast but predictable and must never be used for security.
Password entropy is the measure of unpredictability, expressed in bits. Entropy is calculated as log2(alphabet_size ^ length). Examples:
- 8 characters, lowercase only (26 alphabet): ~37.6 bits — weak, crackable in hours
- 12 characters, mixed case + digits (62 alphabet): ~71.4 bits — strong for most accounts
- 16 characters, all printable ASCII (94 alphabet): ~105 bits — strong for high-value accounts
- 20 characters, all printable ASCII: ~131 bits — resistant to nation-state attacks
- 6-word Diceware passphrase (~7776 word list): ~77.5 bits — strong, memorable
NIST SP 800-63B password guidelines (current): Minimum 8 characters, allow up to 64+ characters, permit all printable characters including spaces, do not require forced complexity rules, do not force periodic rotation, check against breach databases (Have I Been Pwned), use password managers for storage. The old rules (force mixed case, symbols, rotate every 90 days) are explicitly discouraged by NIST as they push users toward predictable patterns.
Passphrase mode: Uses a list of common English words (or EFF's large Diceware list of 7,776 words). A 6-word passphrase like correct-horse-battery-staple-river-quartz has ~77 bits of entropy — stronger than most 10-character random passwords while being far easier to remember. Recommended by XKCD and NIST.
Common problems and solutions
⚠Using Math.random() for passwords in your own code
Math.random() is not cryptographically secure — its output can be predicted after seeing a few values. Always use crypto.getRandomValues() in JavaScript, secrets.token_urlsafe() in Python, or secure/rand in Go for any password or token generation.
⚠Reusing the same password across sites
When one site leaks your password (happens regularly — check haveibeenpwned.com), attackers try the same email/password combo on hundreds of other services. Use a unique random password per account, stored in a password manager.
⚠Forcing complexity rules
Requirements like "must contain uppercase and a symbol" push users toward predictable patterns like Password1! and Summer2024!. NIST SP 800-63B explicitly recommends against these rules. Length is more important than complexity.
⚠Forced password rotation
Requiring users to change passwords every 90 days leads to weak, incremental variations (Password01, Password02, Password03). NIST no longer recommends rotation unless there is evidence of compromise.
⚠Using dictionary words or personal info
Names, birthdays, pet names, favorite sports teams — all in attacker wordlists. A 12-character random password is stronger than a 20-character password based on your biography.
⚠Writing passwords on sticky notes
Use a password manager (1Password, Bitwarden, KeePass) instead. For master passwords you must memorize, use a passphrase and consider a cryptosteel backup for recovery.
⚠Sharing passwords via email or Slack
Email and chat are logged. Use a password manager's secure sharing feature, or one-time secret services (e.g., Bitwarden Send, 1Password Secure Notes) that expire after reading.
⚠Not using two-factor authentication
Even a strong password can be phished or keylogged. Always enable 2FA (TOTP via Authy or Aegis, or hardware keys like YubiKey) on important accounts. Passwords alone are not enough in 2026.
Password Generator — comparisons and alternatives
Random password vs passphrase: Random passwords like xK7#nP9$wE3@vR2m are shorter and higher entropy per character, but hard to type and remember. Passphrases like correct-horse-battery-staple are longer but memorable. For password-manager-stored passwords, random is better. For master passwords you must memorize, passphrases win. Both can be equally strong with enough length.
Password generator vs password manager: A generator makes random passwords; a manager stores them securely. You need both. Use this generator (or your password manager's built-in generator) to create passwords, then store them in 1Password, Bitwarden, KeePassXC, iCloud Keychain, or your browser's sync. Never manually remember more than a handful of passwords.
Password vs passkey: Passkeys (WebAuthn) are the future: cryptographic keys stored in your device or password manager that replace passwords entirely. Supported by Apple, Google, Microsoft, GitHub, and growing. Where passkeys are available, use them. Passwords remain necessary for legacy services.
Password vs SSH key: SSH keys are public/private key pairs — no password to guess, protected by a passphrase on the private key. Used for server access, Git pushes, and automation. Passwords still exist for many services, but prefer key-based authentication wherever possible.
Password length vs complexity: Length beats complexity. A 20-character lowercase-only password (~94 bits entropy) is much stronger than an 8-character password with all character classes (~52 bits). When a service allows it, prefer longer passwords even if they're all lowercase letters over shorter passwords with forced symbols.
Frequently asked questions about the Password Generator
▶How long should my password be?
At least 12 characters, preferably 16+ for most accounts, 20+ for critical accounts (email, banking, admin). Length is the single most important factor in password strength. A 20-character password takes trillions of years to brute-force even with all the worlds computing power.
▶Is this password generator cryptographically secure?
Yes. It uses the Web Crypto API (window.crypto.getRandomValues()), which is a CSPRNG seeded from the operating system's entropy pool. This is the same source used by TLS, WebAuthn, and modern browser crypto. It is not the insecure Math.random(). Passwords generated here are suitable for any use case requiring strong randomness.
▶Are my passwords stored or logged?
No. Passwords are generated entirely client-side in your browser. Nothing is transmitted to any server. Open your browser's DevTools Network tab, generate a password, and you will see zero outbound requests. The page does not include any analytics scripts that could see password content.
▶What makes a password strong?
Three things: (1) Length — 16+ characters is the baseline in 2026. (2) Randomness — generated from a CSPRNG, not chosen by a human. (3) Uniqueness — never reused across sites. Character complexity (mixed case, symbols) matters less than length for randomly generated passwords.
▶Should I use passphrases or random passwords?
Use random passwords stored in a password manager for the vast majority of accounts. Use a passphrase only for the master password to your password manager, your device login, and disk encryption — passwords you must memorize and type frequently. A 6-word Diceware passphrase like correct-horse-battery-staple offers ~77 bits of entropy, equivalent to a 12-character random password.
▶How often should I change passwords?
Only when compromised. NIST SP 800-63B no longer recommends periodic rotation — it leads to weaker, predictable variants. Change a password immediately if the site was breached (check haveibeenpwned.com), if you suspect phishing, or if you've shared it. Otherwise, leave strong unique passwords alone.
▶Can the generator produce passwords that are already used?
With sufficient length, the probability of collision is essentially zero. A 16-character password from a 94-character alphabet has ~2^105 possibilities — more than the number of atoms in a small city. If you generate a billion passwords per second for a billion years, your chance of duplicating one is still negligibly small.
▶Why are some characters ambiguous?
Characters like 0 (zero) and O (capital O), 1 and l (lowercase L) and I (capital i), look similar in many fonts. If you will ever read a password aloud, print it on paper, or type it from memory, enable the Exclude ambiguous characters option. If the password goes directly to a password manager, leave them in for maximum entropy.
▶What if a site limits password length or rejects symbols?
Adapt the generator settings. For a 16-character max, generate exactly 16 characters. If symbols are rejected, disable the symbols class and increase length to compensate (e.g., 20 alphanumeric characters). Then contact the site — restrictive password policies indicate weak backend practices (likely storing passwords in plaintext or using bad hashing).
▶Should I share this tool with my team?
Yes, especially for onboarding new team members, provisioning service accounts, or generating temporary passwords. The tool is free, requires no account, and runs in any modern browser. Pair it with a team password manager (1Password Business, Bitwarden Teams) for secure storage and sharing.
Additional resources
- NIST SP 800-63B — Digital Identity Guidelines — Official US government guidance on password policies (length, rotation, storage).
- EFF Long Wordlist for Diceware — 7,776-word list for generating memorable Diceware passphrases.
- Have I Been Pwned — Check if your email or password has appeared in a data breach.
- Web Crypto API — getRandomValues — MDN reference for the cryptographic random function used by this tool.
- XKCD 936 — Password Strength — The famous "correct horse battery staple" explanation of passphrase strength.
Related tools
All GeneratorsBcrypt Hash Generator
Hash passwords with bcrypt and verify existing hashes — configurable rounds
Hash Generator
Generate MD5, SHA-1, SHA-256, SHA-512 hashes for text and files
HMAC Generator
Generate HMAC signatures (SHA-256, SHA-512) for API auth and webhook verification
JWT Generator
Create signed JSON Web Tokens (JWT) with custom claims — HS256, RS256, ES256
Password Strength Checker
Test password strength with entropy score, crack-time estimate, and breach check
Random Color Generator
Generate random colors in hex, RGB, or HSL with control over saturation, lightness, and hue range for specific moods or palettes.
Learn more
Explore more tools
200+ free tools that run in your browser.
Browse all tools →