Password Generator

Generate cryptographically secure random passwords using the browser's built-in crypto.getRandomValues() API — no server calls, no storage. Choose your desired length and character sets, then copy the result or generate in bulk. Strong passwords should be at least 16 characters long and include a mix of uppercase, lowercase, numbers, and symbols.

Click Generate →

—

Tip: Press Ctrl+Enter to run

Password Length 16

4128

Character Sets

Uppercase (A–Z) Lowercase (a–z) Numbers (0–9) Symbols (!@#…)

Exclude Ambiguous Characters Exclude: 0 O o l 1 I i

Bulk Generate:

What this tool does

This generator creates random passwords using crypto.getRandomValues() — the browser's cryptographically secure random number source, the same one used for TLS key generation. It is fundamentally different from Math.random(), which is predictable and unsuitable for security purposes. Nothing is transmitted; passwords are generated and stay in your browser.

How to use it

Click Generate or press Ctrl+Enter to create a new password.
Drag the length slider — 16 characters is a solid default for most logins; use 24+ for service accounts and API secrets.
Enable or disable character sets (uppercase, lowercase, digits, symbols) to match the target system's requirements.
Enable "Exclude ambiguous characters" if the password will be typed by hand — this removes characters like 0, O, l, and 1 that look similar.
Use Bulk Generate to produce a list of passwords at once — useful when provisioning multiple accounts.

What makes a password actually strong

Length is more important than complexity. A 20-character random string beats a 10-character string with every special character rule met. The meaningful measure is entropy — the size of the search space an attacker would need to cover. Each character you add multiplies that space. P@ssw0rd! is in every cracker's wordlist within the first million guesses; a 20-character random string won't be found at all.

Recommended lengths by use case

Website login: 16–20 characters, all character sets.
Wi-Fi passphrase: 20+ characters — WPA2/WPA3 supports up to 63.
Service account / database password: 24–32 characters. Never typed manually.
API secret / signing key: 32–64 characters. Store in a secrets manager, not in code.
Temporary password for a new user: 12 characters is fine if they must change it immediately.

Frequently Asked Questions

Is this safe to use for real passwords?

Yes. The generator uses crypto.getRandomValues(), which is the same cryptographic randomness source used for TLS key generation. Passwords are generated entirely in your browser and never transmitted. The tool has no analytics, no backend, and no logging.

What if a site doesn't allow special characters?

Disable the symbols checkbox and increase the length by a few characters to compensate for the smaller character set. A 20-character alphanumeric password still has very high entropy — more than a 12-character password that meets every complexity requirement.

Should I use a password manager?

Yes, for anything you log into regularly. Generate a unique random password for each account, store it in a password manager (Bitwarden, 1Password, KeePass), and never reuse passwords. This tool is for generating those passwords; a manager is for storing them securely.

Want the full explanation? Read the guide: Building Passwords That Actually Hold Up →