Password Generator
Generate strong random passwords in your browser. Passwords are created locally with your browser's cryptographic random source — nothing is transmitted, logged, or stored — and each one comes with an honest entropy estimate instead of a vague strength meter.
Generate a password
Recommended: 16+ characters with all sets enabled (≈103 bits).
What actually makes a password strong
Strength is not cleverness — it is unpredictability, measured in entropy. A password drawn uniformly from a pool of 89 characters carries about 6.5 bits per character, so 16 characters give roughly 103 bits: more possibilities than an attacker testing trillions of guesses per second could cover in the lifetime of the universe. Human-invented patterns (words, dates, substitutions like "P@ssw0rd") collapse that space catastrophically, because crackers try exactly those patterns first.
Length beats complexity
Each additional character multiplies the search space by the whole pool size, while enabling one more character class only nudges the per-character pool. When a site limits length, use every class; when it does not, prefer going longer. The entropy readout under the generator updates live as you change settings, so the trade-offs are visible instead of hidden behind a red-yellow-green meter.
Handling a fresh password
Copy it straight into a password manager and let the manager fill it from then on — that keeps it unique per site, which matters more than any single password's strength, because reuse is how one breach becomes many. Avoid emailing or messaging passwords to yourself; if you must write one down temporarily, destroy the note once the manager has it.
Frequently asked questions
Is it safe to generate a password on a website?
It is safe when generation happens locally, as it does here: the password is produced by your own browser using its cryptographic random source, is never sent over the network, and is never stored. You can verify with your browser’s network tools that no request carries it. Still, the safest home for any password is inside a password manager immediately after generation.
What do the entropy bits mean?
Entropy measures how many equally likely passwords the settings could have produced: bits = length × log₂(pool size). Each added bit doubles an attacker’s search space. As a rule of thumb, 70+ bits is strong for online accounts and 100+ bits resists serious offline cracking.
Is a longer password better than a more complex one?
Almost always. Length multiplies entropy per character, while adding symbol classes only enlarges the pool slightly — a 20-character lowercase password (~94 bits) beats an 8-character everything password (~52 bits). Use both when a site allows it.
What does “exclude ambiguous characters” do?
It removes characters that look alike in many fonts — 0/O/o, 1/l/I/|, and quote marks — which helps when a password must be read aloud or typed from paper. It slightly reduces the pool size, and the entropy estimate updates accordingly.
Why does every generated password contain each selected type?
Many sites enforce composition rules (“at least one digit and one symbol”). The generator guarantees one character from every enabled set, then fills and shuffles the rest randomly, so results pass those checks without retries.
Generation is implemented as tested, typed functions with a cryptographically strong source and guaranteed set coverage — see the methodology page.