Skip to content

Password Generator

Generate strong random passwords locally with a cryptographically secure RNG — nothing is ever uploaded.

Privacy: your files never leave your device. All processing happens locally in your browser.

How to use

  1. 1.Set the length with the slider or number box (longer means stronger — 16+ is a good default).
  2. 2.Toggle which character types to include: uppercase, lowercase, digits, symbols, and optionally exclude ambiguous characters like 0, O, 1, and l.
  3. 3.Read the strength and entropy estimate, then click Copy — or Generate new password to roll a fresh one.

About Password Generator

A password generator builds a random string from the character types you choose so you never have to reuse a guessable password again. This tool runs entirely in your browser and generates every password with a cryptographically secure random number generator (CSPRNG) — the platform's crypto.getRandomValues — not JavaScript's Math.random. That distinction matters: Math.random is fast but not cryptographically secure, and its output can be predicted from prior values, so passwords built on it carry far less real randomness than their length suggests. A CSPRNG is designed to be unpredictable, which is exactly what a secret should be.

Strength comes down to entropy, measured in bits. Entropy equals length multiplied by log2 of the pool size (the number of distinct characters available). With uppercase, lowercase, digits, and symbols all enabled, the pool is 86 characters, so each character adds about 6.4 bits. A 12-character password from that pool carries roughly 77 bits; a 16-character one about 103 bits. As a rule of thumb, under 60 bits is weak, 60 to 100 is fair, and 100+ is strong against offline brute-force attacks. The single biggest lever is length: adding characters multiplies entropy far faster than swapping character sets, which is why a long passphrase can beat a short string full of symbols.

Uniform character selection is a subtle but real security detail. Mapping a raw 32-bit random number onto a character set with a plain modulo introduces modulo bias — when the set size does not evenly divide 2^32, some characters get picked slightly more often, which shrinks true entropy and makes output more predictable. This generator uses rejection sampling instead: random values that would fall into the biased remainder range are discarded and redrawn, so every character in the set is chosen with exactly equal probability. It also guarantees at least one character from each type you select, then shuffles the whole result with the Fisher–Yates algorithm so the guaranteed characters are never pinned to fixed positions where an attacker could exploit the pattern. Excluding ambiguous characters like 0, O, 1, and l trades a little entropy for passwords that are easier to read and type by hand.

Modern guidance from NIST (SP 800-63B) and OWASP favors long passwords or passphrases over forced complexity rules, and recommends screening candidates against known breached password lists. The practical takeaway is a long, random, unique password for every site, kept in a password manager rather than memorized or reused. Because generation happens locally, your password is never transmitted over the network, written to a server log, or stored anywhere — it exists only in your browser tab until you copy it, and closing the tab discards it. That local-only design is why an online generator can still be private: the randomness comes from your own device, and the result never leaves it.

Methodology & sources

Passwords are generated client-side with the platform CSPRNG (crypto.getRandomValues). Characters are drawn uniformly using rejection sampling to eliminate modulo bias, at least one character from each selected type is guaranteed, and the result is shuffled with Fisher–Yates. Strength is reported as Shannon entropy in bits, computed as length × log2(poolSize).

Frequently asked questions

Are these passwords safe — is anything sent to a server?
Nothing leaves your device. Every password is generated locally in your browser using the built-in cryptographically secure RNG (crypto.getRandomValues), and it is never uploaded, logged, or stored anywhere.
How long should my password be?
Longer is stronger because entropy scales with length. With all character types enabled, 12 characters give about 77 bits and 16 characters about 103 bits. Aim for 16 or more (100+ bits) for accounts that matter, and use a unique password per site.
Why use a generator instead of making one up myself?
Human-chosen passwords cluster around predictable patterns that attackers exploit. A CSPRNG-backed generator with unbiased character selection produces genuinely random, high-entropy strings that are far harder to guess or brute-force.

Encoding & Crypto guides

View all