Password Generator
Cryptographically-strong passwords generated entirely in your browser. Never sent to any server.
Strength: —
How it works
This generator uses crypto.getRandomValues() — the browser's cryptographically-secure pseudo-random number generator — to pick characters from your selected pools. The same primitive that secures HTTPS connections, banking sessions, and password managers. Every character is rolled independently, so an attacker can't predict the next character from the previous ones.
The password is generated entirely in your browser. It is never sent to a server, never logged, and never stored. Refresh the page and it's gone forever.
How long should my password be?
| Length | Pool | Approx entropy | Crack time (offline) |
|---|---|---|---|
| 8 chars | Lowercase only (26) | ~38 bits | Hours |
| 12 chars | All four pools (~94) | ~78 bits | Centuries |
| 16 chars (recommended) | All four pools | ~104 bits | Trillions of years |
| 20+ chars | All four pools | ~131+ bits | Heat-death of the universe |
For most accounts, 16 characters with all four pools enabled is the sweet spot — long enough that brute force is hopeless, short enough to type if needed.
Use cases
- New account signups. Generate, copy, paste into the form, save in your password manager.
- Resetting compromised passwords. If a service notifies you of a breach, generate a fresh one immediately.
- Wi-Fi passwords. Long random strings make rainbow-table attacks worthless.
- API keys and tokens. Use 32+ characters with symbols enabled.
- Master passwords for a password manager. Use 20+ characters; you only memorize this one.
Frequently asked questions
Is the password really not sent to your server?
Correct — the password is generated by JavaScript running in your browser using crypto.getRandomValues(). Open your browser's network tab and you will see zero requests when you click regenerate. The site itself uses standard HTTPS for the page load, but the password generation happens entirely client-side.
What does 'Skip look-alikes' do?
It removes characters that are easy to confuse when reading: 0 / O / o, 1 / l / I, plus a few others. Useful when you'll have to type the password from a printed copy or a screen across the room.
Why disable any of the character pools?
Some legacy systems reject symbols, or require an exact length. Tune the toggles to match the destination system's rules. Always disable as few pools as possible — every disabled pool reduces entropy.
Should I use this or a passphrase?
For machine-typed passwords (password managers fill them in), random characters are best. For passwords you have to type by hand often, a 4-6 word passphrase (correct-horse-battery-staple) is easier to remember at similar entropy. Both are vastly better than a memorable word + number.
Is there a 'remember' feature?
Intentionally not — the password is meant to be ephemeral. Copy it, paste it into your password manager, and let the manager remember it. Trusting a single page to remember things is a security anti-pattern.