Password Generator
Create strong, random passwords with custom length and character sets — generated securely in your browser.
Updated: June 26, 2026
· bits of entropy
Generate a strong password instantly
This generator builds random passwords using your browser's cryptographic
random number generator (crypto.getRandomValues) — the same
class of randomness used for real security work, not the predictable
Math.random(). Pick a length and which character sets to include,
and a fresh password appears immediately. Nothing is transmitted or stored;
the password exists only on your screen.
What makes a password strong?
Strength comes from entropy — the number of equally likely possibilities an attacker would have to search. Entropy grows with both length and the size of the character pool. Adding length helps more than adding complexity: a long passphrase of random words can be both stronger and easier to type than a short string of symbols. As a rule of thumb, aim for at least 16 characters drawn from a mix of cases, digits and symbols, or more for anything valuable.
- 12 characters, mixed sets ≈ 78 bits — fine for most accounts.
- 16 characters, mixed sets ≈ 104 bits — strong.
- 20+ characters ≈ 128+ bits — effectively unbreakable by brute force.
Use a unique password everywhere
The single most important habit is never reusing a password. When one site is breached, attackers replay the leaked credentials against every other service ("credential stuffing"). A unique random password per site means one breach can't cascade. Because nobody can memorize hundreds of random strings, pair this generator with a password manager that stores them for you.
The "exclude ambiguous characters" option
Characters like 0/O and 1/l/I
are easy to confuse when a password must be read aloud or typed from a screen.
Enabling the exclude-ambiguous option drops them, which slightly reduces the
pool size but improves usability for passwords you'll occasionally transcribe.
For passwords that live only in a manager, leave it off for maximum entropy.
Where this tool fits
Generate a password here, check how it scores with our password strength checker, and if you need machine credentials instead of human passwords, use the API key generator. When storing passwords server-side, never keep them in plain text — hash them with bcrypt.
Frequently asked questions
Are these passwords really random and safe to use?
Yes. They are generated in your browser using the Web Crypto API (crypto.getRandomValues), which is cryptographically secure. The password is never sent over the network or saved anywhere.
How long should my password be?
Aim for at least 16 characters for important accounts. Length matters more than complexity — a longer password has more entropy and is exponentially harder to brute-force.
Should I use symbols?
Symbols increase the character pool and therefore entropy, so include them when a site allows it. But a longer password without symbols can be just as strong — prioritize length.
How do I remember a random password?
You shouldn't try to. Use a password manager to store a unique random password for every site, and only memorize the manager's master password.
Password managers worth using
A generator is only half the solution — you also need somewhere safe to store unique passwords:
- Password manager Generate, store and autofill a unique strong password for every account, synced across your devices.
- Hardware security key Add phishing-resistant two-factor authentication on top of strong passwords for your most important accounts.
Related tools
- Password Strength & Entropy CheckerMeasure a password's entropy in bits and estimate how long it would take to crack.
- API Key & Secret GeneratorGenerate cryptographically secure API keys and secrets in hex, Base64url or alphanumeric.
- Bcrypt Hash Generator & CheckerHash a password with bcrypt at an adjustable cost factor, or verify a password against a hash.
- UUID Generator (v4 & v7)Generate random v4 UUIDs or time-ordered v7 UUIDs in bulk, ready to copy.