Password Generator
Create strong, random passwords instantly — with full control over length and character types, all inside your browser.
Generated in your browser.Every password is created on your device with the Web Crypto API. Nothing is typed over the network, logged or sent anywhere — it never leaves your browser.
About 103 bits of entropy from a pool of 87 characters.
Include characters
Quick answer
A strong password is long and unpredictable. Set the length to at least 16 characters, keep uppercase, lowercase, numbers and symbols switched on, then copy the result. This tool builds each password with your browser's secure random generator, so no two are the same and none are ever sent over the internet.
What makes a password strong
A password is strong when it is hard to guess — not just by a person, but by software that tries billions of combinations per second. Two things drive that difficulty: length and variety. A longer password drawn from a bigger pool of characters (upper and lower case letters, numbers and symbols) has astronomically more possible combinations, which is measured as entropyin bits. The strength meter above estimates that entropy live so you can see the effect of every change. Predictable choices — dictionary words, names, birthdays, keyboard patterns like qwerty— slash the real strength no matter how the password looks, which is exactly why a random generator beats anything you would invent yourself.
Why length matters most
Every character you add multiplies the number of possibilities an attacker has to work through. Adding one character to a password built from about 90 possible symbols makes it roughly ninety times harder to crack; adding several makes brute force hopeless. That is why length beats clever substitutions like swapping a for @, which attackers' tools already expect. A 12-character password is a reasonable floor, 16 is a comfortable target for important accounts, and going longer costs you nothing when a password manager remembers it for you.
Never reuse passwords
Even a perfect password becomes a liability the moment you use it in two places. When a website is breached — and breaches happen constantly — attackers take the leaked email-and-password pairs and try them on banks, email and shopping sites in what is called credential stuffing. A unique password per account contains the damage to the one site that was breached. The practical way to live with dozens of unique passwords is a reputable password manager: generate a fresh one here, paste it in when you create or change the account, and let the manager store and autofill it from then on.
Frequently asked questions
Are the passwords sent to a server?+
No. Every password is generated entirely in your browser using the Web Crypto API. Nothing is uploaded, logged or stored — the passwords never leave your device, and the tool even works offline.
How random are the passwords?+
They use crypto.getRandomValues, the browser's cryptographically secure random number generator, with rejection sampling to avoid statistical bias. That is far stronger than Math.random, which is not safe for passwords.
How long should my password be?+
Aim for at least 16 characters. Length matters more than anything else because each extra character multiplies the number of possible combinations an attacker must try. The strength meter updates live as you change the length.
What are ambiguous characters?+
Characters that are easy to misread, like the letter O and the number 0, or the lowercase l, capital I and number 1. Turn on 'Exclude ambiguous characters' when you might have to type or copy the password by hand.
Should I use the same password everywhere?+
Never. If one site is breached, reused passwords let attackers into your other accounts. Generate a unique password for every account and store them in a reputable password manager.