Secure Password Generator
Generate cryptographically strong random passwords. Adjustable length, custom character sets, strength meter, batch mode, and history. Completely free and private.
Passwords and hashes are generated client-side and never stored or transmitted. This tool uses cryptographically secure randomness (crypto.getRandomValues) for generation. However, no security guarantee is implied. Use a dedicated password manager for best practices, and never reuse passwords across accounts.
Frequently Asked Questions
How does this password generator work?
This generator uses the Web Cryptography API's crypto.getRandomValues() — the same cryptographically secure randomness used by operating systems for security purposes. It is fundamentally different from Math.random(), which is deterministic and unsuitable for passwords. Every character is drawn from your selected character set using unbiased random selection. Nothing is transmitted anywhere — the entire process runs in your browser's JavaScript engine.
What makes a password strong?
Password strength is measured by entropy — the number of bits required to guess it by brute force. Entropy = length × log₂(character set size). Using all four character sets (uppercase + lowercase + numbers + symbols ≈ 94 characters) at 20 characters gives roughly 131 bits of entropy — astronomically hard to crack. The two biggest levers: use all character types and make it long (16+ characters). The strength meter on this page shows your current entropy level.
Are my passwords stored anywhere?
No. Passwords are generated entirely in your browser and never sent to any server. The optional history feature uses sessionStorage — it is cleared when you close or refresh this browser tab. It is never written to localStorage or cookies, and never transmitted anywhere. You can verify this by inspecting the page source or opening DevTools → Network tab while generating.
How long should my password be?
For most accounts: 16 characters with a mix of all character types is very strong (100+ bits of entropy). For sensitive accounts like banking, email, or your password manager master password: 20+ characters. If you're using a password manager (and you should be), use the longest password the service allows — you won't need to remember it.
What is a pronounceable password?
A pronounceable password follows a consonant-vowel pattern (e.g. "rapomitevu") making it easier to read aloud or remember temporarily. It trades some entropy for memorability. These are still generated using cryptographic randomness — they are not dictionary words. For maximum security, use standard random mode with all character types enabled. For passwords you occasionally need to type manually, pronounceable mode is a good trade-off.
Should I exclude ambiguous characters?
Ambiguous characters like O (uppercase O), 0 (zero), l (lowercase L), 1 (one), and I (uppercase i) look identical in many fonts and cause transcription errors. Excluding them slightly reduces entropy but eliminates mistakes when typing a password manually. If you use a password manager to paste passwords automatically, leave ambiguous characters enabled for maximum security.