Password Generator
Create strong, random passwords instantly — free and private.
Character Sets
Options
Generated Password
Quick Presets
What Is a Password Generator?
A password generator is a tool that creates random strings of characters for use as passwords. Unlike passwords you invent yourself — which tend to follow memorable patterns, use dictionary words, or reuse existing passwords — a generator produces sequences that have no pattern whatsoever, making them exponentially harder to guess or crack.
This tool uses crypto.getRandomValues(), the Web Cryptography API built into every modern browser. This API draws entropy from your operating system's secure random source, the same source used by cryptographic libraries. Every character is chosen independently and uniformly from your selected pool, so the result is as random as any password you could generate with dedicated software.
Everything runs locally in your browser. No password you generate here ever leaves your device.
How Password Strength Is Measured
The strength indicator on this tool is based on password entropy — a measure of unpredictability expressed in bits. The formula is:
Entropy = log₂(pool_sizelength) = length × log₂(pool_size)
Where pool_size is the total number of distinct characters that could appear in each position, and length is the number of characters. Here is how the five strength levels map to entropy ranges:
- Very Weak — below 28 bits (e.g., 4-character lowercase only)
- Weak — 28–35 bits
- Fair — 36–59 bits (minimum for low-value accounts)
- Good — 60–95 bits (suitable for most accounts)
- Strong — 96–127 bits
- Very Strong — 128+ bits (recommended for high-value accounts)
A 16-character password using all four character sets (pool of 94 printable ASCII characters) has approximately 105 bits of entropy — well into the "Strong" range and computationally infeasible to brute-force with current hardware.
Choosing the Right Password Length
Length is the single most important factor in password strength. Each additional character multiplies the total number of possible passwords by the pool size. Going from 12 to 16 characters doesn't add 4 more characters of security — it multiplies the possibilities by 94⁴, which is more than 78 million times harder to crack.
Recommended Lengths by Account Type
- Low-value accounts (forums, newsletters): 12 characters minimum
- Standard accounts (social media, shopping): 16 characters
- High-value accounts (email, banking, cloud storage): 20+ characters
- Password manager master password: 24–32 characters
- Encryption keys, root credentials: 32+ characters
Character Sets Explained
This generator lets you choose from four character sets:
- Uppercase letters (A–Z) — 26 characters. Adding this alone increases the pool from 26 to 52.
- Lowercase letters (a–z) — 26 characters. The baseline for most readable passwords.
- Digits (0–9) — 10 characters. Most sites require at least one digit.
- Symbols — 32 printable ASCII symbols. Adding symbols is the single biggest entropy boost per character. The full set is:
! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~
Using all four sets gives a pool of 94 characters, yielding approximately 6.55 bits of entropy per character. A 16-character password from this pool has ~104.8 bits of entropy.
Ambiguous Characters: When to Exclude Them
Some characters are visually similar across fonts and can cause errors when typing manually:
- 0 (zero) and O (capital oh)
- l (lowercase L), 1 (one), and I (capital i)
- Certain symbols that look like punctuation in print:
{ } [ ] ( ) / \ ' " ~ , ; . < >
Excluding these characters reduces the pool size slightly, which lowers entropy a small amount. For a 16-character password you lose about 2–4 bits — an acceptable trade-off if you need to type the password manually. If you always copy-paste, leave these enabled to maximize entropy.
Generating Multiple Passwords at Once
The "Number of Passwords" field lets you generate up to 20 passwords in one click. This is useful when you need to create credentials for multiple users, rotate passwords across several services at once, or pick your favorite from a selection. Each password is generated independently.
Best Practices for Using Generated Passwords
1. Use a Password Manager
A randomly generated password of 20+ characters is impossible to memorize. That is a feature, not a bug. Store it in a password manager like Bitwarden (open-source, free), 1Password, or KeePass. The password manager requires only one master password to remember, which you can generate here and commit to memory.
2. Never Reuse Passwords
Password reuse is the number one cause of account takeovers. When a site is breached and its password database leaked, attackers immediately test those credentials on other major services — this is called a credential stuffing attack. A unique password on every site guarantees that one breach cannot cascade into others.
3. Enable Two-Factor Authentication
A strong password combined with two-factor authentication (2FA) provides layered security. Even if a password is somehow stolen, the attacker still cannot log in without the second factor. Use an authenticator app (TOTP) rather than SMS where possible.
4. Never Share Passwords
Even with trusted people. If someone else needs access to an account, use the service's built-in sharing or delegation feature. If you must share, change the password immediately afterward.
5. Check for Breaches
After creating a new password, check whether your email address appears in known breaches using a service like Have I Been Pwned. If it has, prioritize rotating passwords on the affected and related services.
How This Compares to Other Tools
Browser-based password generators using crypto.getRandomValues() are considered as secure as desktop applications for everyday password generation. The critical difference from older generators is the entropy source: Math.random() (used by many basic generators) is a predictable PRNG that is not suitable for security purposes. crypto.getRandomValues() is the recommended standard.
If you need passwords for extremely high-security environments — cryptographic keys, hardware security modules, or government systems — use a dedicated offline tool running on an air-gapped machine. For everything else, this tool is appropriate.
Related Calculators
While generating passwords, you might also find these tools useful. Our percentage calculator helps with quick math across many everyday tasks. The unit converter handles conversions between hundreds of units instantly. And our days between dates calculator tells you exactly how many days separate any two dates — useful for planning password rotation schedules or subscription renewals.
Frequently Asked Questions
What makes a password strong?
A strong password is long (at least 12 characters), uses a mix of uppercase, lowercase, numbers, and symbols, and has no recognizable patterns or dictionary words. Length matters most — each extra character multiplies the difficulty exponentially.
How long should my password be?
At least 16 characters for standard accounts and 20+ for high-value accounts like email or banking. The default on this tool is 16, which gives over 10²⁸ possible combinations when using all character sets.
Is the generated password stored anywhere?
No. All generation happens in your browser using JavaScript. Generated passwords are not sent to our servers. Closing the tab permanently discards the password — copy it before leaving the page.
What is crypto.getRandomValues()?
It is a cryptographically secure random number generator built into all modern browsers. Unlike Math.random(), it uses your operating system's entropy source, making it suitable for security-critical uses like password generation.
Should I exclude ambiguous characters?
Only if you need to type the password manually. Characters like 0/O and l/1/I are hard to distinguish in many fonts. If you always copy-paste, keep them enabled for maximum entropy.
What symbols are included?
The full set of 32 printable ASCII symbols: ! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~. You can optionally exclude the visually ambiguous subset.
What is password entropy?
Entropy (in bits) measures how unpredictable a password is. It equals length × log₂(pool size). A 16-character password from 94 characters has ~105 bits of entropy — extremely strong by any current standard.
Can I generate multiple passwords at once?
Yes. Set "Number of Passwords" to up to 20 and click Generate. Each password is generated independently.
Why does every account need a unique password?
If one site is breached, attackers test the stolen credentials everywhere else. Unique passwords guarantee that a breach on one site cannot compromise any other account you own.
Should I use a password manager?
Absolutely. Generate a strong, unique password for every account and store them in a manager like Bitwarden or 1Password. You only need to remember one strong master password.
How often should I change my passwords?
NIST guidelines say to change only when there is evidence of compromise, not on a fixed schedule. Forced rotation leads to weaker passwords. Use a long unique random password and rotate it only if a breach is suspected.
What is a passphrase vs. a password?
A passphrase is several random words joined together (e.g., "correct horse battery staple"). It is easier to memorize and can be very strong. A character-based password from this generator is typically stronger per character and better for sites with short length limits.