Text & dev
Password Generator
Create strong, random passwords in your browser. Choose the length, decide which character sets to include, optionally drop look-alike characters, and copy the result. Randomness comes from your browser's cryptographic generator — nothing is sent anywhere, so the password never leaves your device. With data breaches exposing billions of U.S. account credentials, a long random password that you store in a password manager is one of the simplest ways to protect your email, banking and online accounts. The built-in strength meter shows the entropy in bits so you can see exactly how hard your password would be to crack.
Options
—
Generated locally with crypto.getRandomValues. Use a unique password per site and a password manager.
How the password generator works
Each character is drawn from your selected pool using crypto.getRandomValues — the browser's cryptographically secure random source, never Math.random. To avoid modulo bias, values that fall outside an even multiple of the pool size are rejected and re-drawn. Strength is measured as entropy: the theoretical number of bits an attacker must guess.
Formula
entropy (bits) = length × log₂(pool size)where pool size is the count of unique characters available from the sets you enabled. More length and more sets = more entropy. 60+ bits is good, 80+ bits is strong.
Notes & assumptions
- Entropy assumes each character is chosen independently and uniformly — which this tool does.
- Excluding ambiguous characters slightly lowers entropy but improves readability.
- Never reuse passwords; store them in a reputable password manager.
Frequently asked questions
How long should my password be?
For most accounts, aim for at least 12–16 characters; for high-value accounts like email, banking and your password manager's master password, 16 or more is wiser. Length matters more than complexity — a longer password with mixed character sets quickly pushes the entropy past the 80-bit "very strong" mark shown in the meter above. The default of 16 characters with all four sets is a strong starting point.
Is this password generator safe to use?
Yes. Every password is created locally in your browser using crypto.getRandomValues, the same cryptographically secure random source used for security-sensitive work — not the predictable Math.random. Nothing is transmitted, stored or logged, and the page has no analytics tied to the output. For maximum safety, generate the password, copy it straight into your password manager, and clear your clipboard afterward.
What does "entropy" mean and how many bits is enough?
Entropy measures how unpredictable a password is, expressed in bits: each extra bit doubles the number of guesses an attacker needs. As a rule of thumb, under 40 bits is weak, 60+ bits is good, and 80+ bits is strong enough to resist offline cracking for the foreseeable future. More length and more character sets both raise entropy, which the strength meter recalculates as you adjust the options.
Should I exclude ambiguous characters?
It's optional. Turning on "Exclude ambiguous" removes look-alikes such as capital I, lowercase l, the number 1, capital O and zero, which helps when you'll be reading or typing the password by hand. It slightly shrinks the character pool and therefore the entropy, so if the password lives only in a password manager you can leave it off for maximum strength.
Do I need a different password for every site?
Yes — reusing passwords is the single biggest risk. When one site is breached, attackers try those same credentials everywhere else in what's called credential stuffing. Generate a unique random password for each account and store them in a reputable password manager so you only have to remember one strong master password.