Password Generator

Create strong, secure passwords.

What Is a Password Generator?

A password generator creates random strings of characters that serve as strong, unpredictable passwords for online accounts and services. Unlike human-chosen passwords that tend to follow predictable patterns, generated passwords use cryptographic randomness to ensure maximum unpredictability. This tool uses the browser's built-in Web Crypto API to produce passwords that are as random as physically possible.

Weak passwords remain one of the leading causes of account compromises. People naturally gravitate toward memorable patterns: common words, dates, names, and simple substitutions like replacing "a" with "@". Attackers know these patterns and exploit them with dictionary attacks and rule-based cracking. A properly generated random password eliminates these vulnerabilities entirely.

How Password Generation Works

The generator constructs a character pool based on your selected options: uppercase letters (26 characters), lowercase letters (26 characters), numbers (10 characters), and symbols (approximately 29 characters). Combining all sets creates a pool of about 91 characters.

For each character position in the password, the tool generates a cryptographically secure random number using crypto.getRandomValues(). This function accesses the operating system's entropy source, which collects randomness from hardware events. The random number is then mapped to a position in the character pool to select a character.

Password strength is measured in bits of entropy using the formula:

Entropy = Length x log2(Pool Size)

A 16-character password drawn from a pool of 91 characters has approximately 104 bits of entropy, meaning an attacker would need to try on average 2^103 combinations to find it by brute force. At one trillion guesses per second, this would take longer than the age of the universe.

The strength meter categorizes passwords as:

Very Strong (128+ bits): Essentially uncrackable by any known or foreseeable technology
Strong (80-127 bits): Resistant to all current attack methods
Good (60-79 bits): Adequate for most online accounts
Fair (40-59 bits): Vulnerable to dedicated attacks on leaked hashes
Weak (below 40 bits): Susceptible to rapid brute-force cracking

How to Use This Tool

Set the password length. Use the slider to choose a length between 8 and 128 characters. The current value is displayed next to the label. For most purposes, 16 to 20 characters provides excellent security.
Select character sets. Check or uncheck the boxes for uppercase letters, lowercase letters, numbers, and symbols. Using all four sets maximizes entropy per character. At minimum, select at least one set.
Optionally exclude ambiguous characters. Enable this option if you need to read the password aloud or type it manually on another device. This removes characters like O/0, l/1/I that are easily confused.
Click Generate Password. A new random password appears in the output field. The strength meter updates to show the entropy level. Click Generate again for a different password.
Copy the password. Click the Copy button next to the output field. The button briefly shows "Copied!" to confirm. Paste the password into your account registration or password manager.
Review password details. The results section shows the exact entropy in bits, the character pool size, included character sets, and security tips.

Worked Examples

Example 1: Standard Online Account

Length: 16, all character sets enabled. Pool size: 91 characters. Entropy: approximately 104 bits (Very Strong). This exceeds the strength needed for any standard online account and would resist brute-force attacks even if the hashed password were stolen.

Example 2: Wi-Fi Password

Length: 20, exclude ambiguous characters, all character sets. Pool size: approximately 85 characters. Entropy: approximately 128 bits (Very Strong). Excluding ambiguous characters makes it easier to type on new devices joining the network, while the extra length compensates for the slightly smaller character pool.

Example 3: Minimum Security Password

Length: 8, only lowercase and numbers. Pool size: 36 characters. Entropy: approximately 41 bits (Fair). This is the weakest practical password and should only be used for low-value accounts. Adding uppercase and symbols, or increasing the length to 12, would significantly improve security.

Example 4: Master Password for Password Manager

Length: 24, all character sets. Pool size: 91 characters. Entropy: approximately 156 bits (Very Strong). A master password protects all your other passwords, so it should be exceptionally strong. At this entropy level, the password is secure against all known and theoretical attack methods.

Tips for Password Security

Use a unique password for every account. If one service suffers a data breach, reused passwords allow attackers to access all your other accounts. A password manager makes unique passwords practical by remembering them for you.

Enable two-factor authentication (2FA) whenever possible. Even the strongest password can be compromised through phishing or server-side breaches. 2FA adds a second layer of defense that requires physical access to your device.

Never share passwords through email, text messages, or chat. These channels are not secure and may be logged permanently. If you must share access, use a password manager's sharing feature or a one-time secret sharing service.

Check for breaches regularly. Services like Have I Been Pwned allow you to check whether your email address has appeared in known data breaches. If it has, change the password for that service immediately.

Prioritize length over complexity. A 20-character password using only lowercase letters (94 bits of entropy) is stronger than a 10-character password using all character types (65 bits). When complexity requirements are frustrating, add more characters instead.

Store passwords securely. Never write passwords on sticky notes, in unencrypted text files, or in email drafts. Use a dedicated password manager that encrypts your vault with a strong master password and supports secure syncing across devices.

Frequently Asked Questions

How does this password generator create random passwords?

This tool uses the Web Crypto API's crypto.getRandomValues() method, which provides cryptographically secure random numbers generated by the operating system's random number generator. This is fundamentally different from Math.random(), which uses a deterministic algorithm and is not suitable for security purposes. The cryptographic random number generator draws entropy from hardware events like mouse movements, keyboard timing, and disk activity.

What makes a password strong?

Password strength is measured in bits of entropy, which represents the number of possible combinations an attacker would need to try. The three factors are length, character pool size, and randomness. A 16-character password using uppercase, lowercase, numbers, and symbols has about 105 bits of entropy. Generally, 60+ bits is considered adequate for most accounts, 80+ bits is strong, and 128+ bits is very strong. Length is the single most impactful factor.

How long should my password be?

For standard online accounts, 16 characters is a good minimum when using all character types. For high-security accounts like email, banking, and password manager vaults, use 20 or more characters. For master passwords that protect other passwords, aim for 24+ characters. Longer is always better because each additional character exponentially increases the number of possible combinations.

Should I include symbols in my passwords?

Yes, when possible. Including symbols increases the character pool from about 62 (letters and numbers) to about 90+, which significantly increases entropy per character. However, some systems restrict which characters are allowed. If a service does not accept symbols, compensate by using a longer password. A 20-character password with only letters and numbers (about 119 bits) is stronger than a 12-character password with all types (about 79 bits).

What are ambiguous characters and why would I exclude them?

Ambiguous characters are those that look similar in certain fonts: O (letter) and 0 (zero), l (lowercase L) and 1 (one) and I (uppercase i), and the pipe character |. Excluding them is useful when you need to read or transcribe a password manually, such as entering a Wi-Fi password or sharing a temporary access code verbally. For passwords stored in a password manager, there is no need to exclude them.

Is it safe to generate passwords in a web browser?

Yes, when the tool runs entirely client-side as this one does. The password is generated in your browser using your device's cryptographic random number generator. No data is sent to any server. You can verify this by using the tool while offline. However, always ensure you are on the legitimate website and not a phishing page, and use the generated password with a trusted password manager.

How often should I change my passwords?

Current security guidance from NIST (National Institute of Standards and Technology) recommends against mandatory periodic password changes unless there is evidence of a breach. Frequent forced changes lead people to use weaker, more predictable passwords. Instead, use strong unique passwords for each account, enable two-factor authentication, and change passwords immediately if a service reports a data breach.

What is a password manager and should I use one?

A password manager is software that securely stores all your passwords in an encrypted vault protected by a single master password. It can auto-fill login forms and sync across devices. Using a password manager is strongly recommended because it allows you to use long, unique, random passwords for every account without memorizing them. Popular options include Bitwarden, 1Password, and KeePass.