Password Generator

How This Password Generator Works

What the generator creates

The Password Generator creates random character-based passwords from the settings you choose. You control the length, the number of passwords, and whether the output includes uppercase letters, lowercase letters, numbers, and symbols. You can also exclude ambiguous characters that are easy to misread when typing a password manually. The result is generated instantly and shown with a strength estimate based on entropy.

A good password is not just complicated-looking. It should be long, random, unique, and hard to guess even if an attacker knows how it was generated. This tool is designed for that kind of password. If you need random numeric values rather than login secrets, use the Random Number Generator for fair number picks, dice rolls, and simple samples.

How secure randomness is used

The generator uses the browser Web Crypto API when available. That API provides cryptographically stronger random values than Math.random and is the right browser feature for generating secrets. Each character is selected from the active pool with rejection sampling so the selection is not biased toward some characters. The tool also forces at least one character from each selected group so a password with symbols enabled actually includes a symbol.

Generated passwords are not sent to a server by this tool. The logic runs in the page on your own device. You still need to store the password somewhere safe after copying it. A password manager is the best place because it can save a different long password for every account without requiring you to memorize all of them.

Length, character sets, and entropy

Length is the most important setting. Every extra character multiplies the number of possible passwords. A 16-character password from a large mixed pool is much harder to guess than a short password with a few substitutions. Symbols and numbers increase the pool, but a longer password is usually easier to make strong and reliable than a short password with awkward rules.

The entropy estimate is a practical guide, not a guarantee. It assumes the password is randomly generated from the selected character pool. Under 60 bits is weak for modern use, 60 to 100 bits is acceptable for many everyday accounts, and 100+ bits is strong. For sensitive accounts such as email, banking, cloud storage, and administration panels, prefer long unique passwords.

Some websites still set outdated maximum lengths or reject certain symbols. If that happens, do not shorten the password more than necessary. First keep the length high, then adjust the character sets to match the site's rules. A 24-character password using letters and numbers can still be very strong, even if symbols are not allowed.

For passwords that must be typed on a TV, game console, shared device, or printed recovery sheet, readability matters. In those cases, excluding ambiguous characters is a reasonable tradeoff. For passwords saved directly into a password manager, maximize length and keep more character sets enabled because you usually will not type the password by hand.

Ambiguous and bracket characters

Ambiguous characters are characters that look similar in some fonts, such as zero and capital O, or one and lowercase l. Excluding them makes passwords easier to type from a printed page or another screen. If you only copy and paste from a password manager, you can usually keep ambiguous characters enabled for a larger character pool.

The bracket exclusion option removes bracket-like symbols that can be awkward in some systems, forms, shell commands, or configuration files. That slightly reduces the symbol pool but can improve compatibility. If a website rejects a generated password, try removing symbols or bracket characters, then generate again.

Multiple passwords and account hygiene

The count option lets you generate up to 20 passwords at once. This is useful when creating several test accounts, rotating a few shared service credentials, or choosing from several candidates. Every generated password is independent. Use the copy buttons to copy the first password or the full list after generation.

Never reuse one password across multiple real accounts. If one website is breached, reused credentials can be tried on email, banking, shopping, and social accounts. A unique password per account limits the damage. For accounts that also need recovery planning, keep recovery codes in a password manager or another secure storage location.

When replacing old passwords, update the most valuable accounts first: email, banking, cloud storage, domain registrars, social accounts, and anything that can reset other logins. Email is especially important because password reset links often go there. Once your core accounts are protected, move through the rest of your saved logins over time.

Common mistakes and privacy

A common mistake is making a password look complex while still basing it on a name, date, keyboard pattern, or common word. Attackers test those patterns first. Another mistake is saving passwords in plain text notes or sending them through chat. Generate a strong password, put it into a password manager, and enable multi-factor authentication where possible.

This page does not store generated passwords. The page may load normal site scripts for navigation, analytics, and advertising, but the password generation happens in your browser. For other everyday calculations after setting up accounts, the Percentage Calculator and Unit Converter are useful companion tools.