Password Generator

What is a strong password?

A strong password is long, random, and unique to each account. Length matters more than complexity — a 16-character random string is harder to crack than an 8-character one even if both use the same character set. This tool generates passwords using crypto.getRandomValues, the same cryptographically-secure source your browser uses for TLS. Passwords are created locally in your browser and never sent to a server.

How to use this generator

Drag the length slider to the size you want (16+ is recommended for most accounts), tick the character types you need, and click Regenerate as many times as you like. Use the Copy button to send a password to your clipboard. If you need to dictate or hand-write the password, enable Exclude similar to drop ambiguous characters like l, 1, I, O, 0.

Best practices

Store generated passwords in a password manager (1Password, Bitwarden, KeePass, your browser's built-in manager) — don't reuse them across sites. Enable two-factor authentication wherever it's offered. For accounts you must remember (master password, device PIN), use a passphrase of 4+ random words instead — easier to memorise, equally secure at length.

Password entropy by length and charset

Entropy measures how unpredictable a password is. Higher is better; experts consider 80+ bits secure for most use cases.

Length	Character set	Entropy
8	a–z, A–Z, 0–9	~48 bits
12	a–z, A–Z, 0–9	~71 bits
16	a–z, A–Z, 0–9	~95 bits
16	+ symbols	~104 bits
20	+ symbols	~131 bits

Frequently asked questions

Is it safe to generate passwords on this site?

Yes. Generation happens entirely in your browser using crypto.getRandomValues — a cryptographically-secure random source. Passwords never leave your device, are never logged, never sent over the network. You can verify by opening DevTools > Network and clicking Regenerate; you'll see no requests fire.

How long should my password be?

Aim for at least 12 characters; 16+ is better. Below 12 characters, modern hardware can brute-force an alphanumeric password in hours. At 16+ characters with mixed case, numbers, and symbols, brute-force becomes infeasible (centuries even on dedicated hardware). Length adds entropy exponentially — every extra character roughly doubles the search space.

Should I include symbols?

Yes when allowed. Symbols add ~32 extra characters to the alphabet, raising entropy per character. Some sites still impose silly restrictions on which symbols are accepted — if you hit one, increase the length and uncheck Symbols to compensate.

What does "exclude similar characters" mean?

It removes l, 1, I, O, 0 — characters that look alike in many fonts. This is useful for passwords you'll dictate, type from paper, or display on a screen for someone else to copy. The tradeoff is a slightly smaller character set, so add a couple of extra characters to compensate if you turn this on.

What's better — random password or passphrase?

For passwords stored in a password manager, random characters win — shorter and unguessable. For passwords you need to memorise (your master password, device PIN), a 4-6-word passphrase like correct horse battery staple is far easier to recall and provides equivalent security at length.

Can someone crack a 16-character password?

With current hardware, no — not in any reasonable timeframe. A 16-character password drawn from upper+lower+numbers has about 95 bits of entropy; even at 100 billion guesses per second (a top-tier GPU farm), an exhaustive search takes longer than the age of the universe. Real-world risks come from weak service-side hashing, password reuse, or phishing — not the password itself.

Password Generator