Password Generator

How to use

1. Drag the Length slider to pick how many characters you want (4 to 128).
2. Tick the character classes you want included — uppercase, lowercase, digits, symbols.
3. Optionally check Avoid look-alike to skip I l 1 O 0.
4. Click Generate if you want a fresh one (every change also regenerates automatically).
5. Click Copy to put it on your clipboard, then paste it into your password manager.

What does it do?

This generator builds a password by drawing each character independently from the alphabet you selected, using the browser's Web Crypto API for randomness. That is the same cryptographically secure source browsers use to generate TLS session keys — it is not the biased Math.random() that most ad-hoc generators rely on. A rejection-sampling loop ensures every symbol in the alphabet has equal probability, so entropy estimates actually hold.

Example

Length 20, all four classes, look-alikes allowed:

G7#vQ2xP!mK9nR4sT&bL

Length 24, letters and digits only (for sites that reject symbols):

k3Hq8RmZ5nPv2WyTb6JsXfLd

Common pitfalls when using a generated password

• Site rejects certain symbols. Some sites silently strip or refuse <, >, quotes, or spaces. If the site won't accept the password, turn off the Symbols class and increase length to 24+ to compensate.
• Copy-paste adds a trailing space. Double-click selection on some OSes grabs an extra space. If login fails, paste into a plain text field first and verify the length matches.
• Too short "for convenience". An 8-character password is roughly 50 bits of entropy — crackable offline in hours on a modern GPU. Use 16+ for routine accounts, 20+ for anything encrypting data at rest.
• Using one password for multiple accounts. A strong password reused on a breached site is still compromised. Generate a unique one per account and store them in a password manager.
• Forgetting about password rotation policies. Some corporate systems force a change every 90 days. Save the generated password in your manager so you can confirm it matches exactly if the site asks you to re-enter it.
• Screenshots or clipboard history. macOS, Windows, and several clipboard managers keep history. Clear the clipboard or paste something else after you've stored the password.

Is my data private?

Yes — and this matters a lot for a password generator. We don't save the passwords you generate. Each one is shown once in the input field and is gone the moment you refresh or close the tab — nothing is written to storage, nothing is logged, and there's no record on our side of what you created. Feel free to verify in your browser's developer tools.

Frequently asked questions

Is this password generator cryptographically secure?

Yes. Randomness comes from crypto.getRandomValues(), the browser Web Crypto API that backs TLS session keys. It is not Math.random(), which is a predictable pseudo-random generator unsuitable for secrets. Each character is drawn with rejection sampling so every symbol in the alphabet has equal probability.

How long should my password be?

For online accounts with rate limiting, 16 characters from mixed classes is plenty. For anything protecting encrypted data offline (password managers, disk encryption, backups) use 20 or more. A 20-character password from all four classes has roughly 130 bits of entropy, which is beyond brute-force reach.

Do you save the passwords this tool generates?

No. We don't save the passwords you generate here. Every password is shown once, kept only in the input field you see, and is gone the moment you refresh or close the tab. Nothing is written to storage or logged on our side. You can verify in your browser's developer tools if you want extra reassurance.

What is entropy and how many bits do I need?

Entropy measures unpredictability in bits. Each bit doubles the number of guesses an attacker must try. 60 bits resists casual offline attacks, 80 resists determined ones, and 128 is the modern standard for strong keys. A 20-character password from a 90-symbol alphabet is about 130 bits.

Should I use a passphrase instead of a random password?

A passphrase of 5 or 6 random dictionary words is easier to type and memorize, and can reach similar entropy (around 65 to 80 bits). But for passwords you store in a manager and never type, a random character password is shorter for the same strength. This tool generates the latter.

Why does a site reject the symbols in my generated password?

Some sites refuse certain symbols like <, >, quotes, or spaces because of poor input handling on their end. If a password is rejected, uncheck Symbols and generate a longer letters-plus-digits password instead. Length compensates for the smaller alphabet in terms of entropy.

Related tools

• UUID Generator — for machine-readable random identifiers rather than human-entered secrets.
• File Hash — compute SHA-256 of a file, useful when verifying a download or a credential dump.
• Base64 Encoder / Decoder — encode a generated secret for config files or HTTP Basic auth headers.
• JWT Decoder — inspect session tokens produced after you log in with a strong password.
• QR Code Generator — share a Wi-Fi password by QR instead of dictating it aloud.
• All text & developer tools