Creating a unique password for any new account that goes into a password manager. Generating a master password or a recovery passphrase you'll commit to memory — passphrase mode is easier to type and remember. Producing a non-human secret for a CI variable, API token, or Wi-Fi network. Bulk-generating passwords for a fresh user batch (set count up to 50).

Don't reuse passwords. The single biggest security upgrade you can make is one unique password per site, stored in a manager. Generator strength is wasted if the same password lives on five sites. Don't write generated passwords down without protection. Use a password manager (1Password, Bitwarden, KeePass) — not a Notes app, not a text file, not an email draft. Long > complex. A 24-character password using only lowercase letters has more entropy than a 10-character one with every symbol class. Length wins. Site-specific rules can break copy-paste. Some sites ban specific symbols or cap length at 16. Annoying but real — generate, then trim/swap to fit if needed (and then store the actual stored password in your manager).

Length beats complexity, full stop. A 16-character all-lowercase password (~75 bits of entropy) is far stronger than the classic "Tr0ub4dor!" pattern (~28 bits, per the famous xkcd analysis). Cracking time for 75 bits at current GPU rates: longer than the age of the universe. For 28 bits: hours. Length is the only knob that matters at scale. Browser crypto.getRandomValues is genuinely random. This tool uses the Web Crypto API, which provides cryptographically-secure randomness backed by the OS entropy pool. Predictability attacks on the generator itself are not realistic. Any concern about password-generator quality should focus on what happens after generation — how it's stored, transmitted, and reused. Password manager > remembering > reusing. The single biggest security improvement most users can make is adopting a password manager (Bitwarden, 1Password, KeePass) and never reusing passwords. Reuse is what turns one site's leak into account takeover everywhere. Generated passwords you don't need to remember are the natural fit — the manager handles the memory load. "Personalised" passwords are weaker than they look. Birthdays, pet names, addresses, phone numbers — anything an attacker could derive from social media, public records, or a data breach — should never appear in a password. Same with common substitution patterns (a→@, e→3) — every cracking dictionary knows these. Truly random generation is the only safe default. 2FA matters more than password strength past a point. A 32-character random password is roughly equivalent in security to a 16-character random password protected by 2FA. The 2FA option is far more resilient against phishing, credential stuffing, and password-database leaks. Where 2FA is offered (it should be everywhere by 2026, but isn't), enable it; the password becomes the second line of defence rather than the only one.

Password Generator

Strong random passwords or memorable passphrases. Generated locally — never sent anywhere.

Type

Count (1-50)

Length: 20

a-z lowercase A-Z uppercase 0-9 digits Symbols !@#$… Exclude ambiguous (0/O/1/l/I)

Output

Enter input above to see the result.

What is this for?

A good password is one an attacker can't guess and you don't have to remember (because it's stored in your password manager). This generator produces strong random passwords or memorable passphrases entirely in your browser, using crypto.getRandomValues — the same cryptographically secure random source TLS uses. Nothing is transmitted; the password never leaves your device.

When to use it

Creating a unique password for any new account that goes into a password manager.
Generating a master password or a recovery passphrase you'll commit to memory — passphrase mode is easier to type and remember.
Producing a non-human secret for a CI variable, API token, or Wi-Fi network.
Bulk-generating passwords for a fresh user batch (set count up to 50).

Random characters vs passphrases

Random characters — most entropy per length. 20 mixed characters ≈ 130 bits. Right for things you paste, not type.
Passphrases — easier to type and remember. Four words ≈ 40 bits, six words ≈ 60 bits. Right for master passwords, device unlock, and anything you'll enter manually often.
"Exclude ambiguous" drops 0/O/1/l/I for safer reading from screens or hand-written notes.

How much entropy do I need?

≥ 60 bits — fine for low-value accounts
≥ 80 bits — good for most accounts
≥ 100 bits — high-value (financial, master password, root credential)

Common gotchas

Don't reuse passwords. The single biggest security upgrade you can make is one unique password per site, stored in a manager. Generator strength is wasted if the same password lives on five sites.
Don't write generated passwords down without protection. Use a password manager (1Password, Bitwarden, KeePass) — not a Notes app, not a text file, not an email draft.
Long > complex. A 24-character password using only lowercase letters has more entropy than a 10-character one with every symbol class. Length wins.
Site-specific rules can break copy-paste. Some sites ban specific symbols or cap length at 16. Annoying but real — generate, then trim/swap to fit if needed (and then store the actual stored password in your manager).

Expert notes

Length beats complexity, full stop. A 16-character all-lowercase password (~75 bits of entropy) is far stronger than the classic "Tr0ub4dor!" pattern (~28 bits, per the famous xkcd analysis). Cracking time for 75 bits at current GPU rates: longer than the age of the universe. For 28 bits: hours. Length is the only knob that matters at scale.
Browser crypto.getRandomValues is genuinely random. This tool uses the Web Crypto API, which provides cryptographically-secure randomness backed by the OS entropy pool. Predictability attacks on the generator itself are not realistic. Any concern about password-generator quality should focus on what happens after generation — how it's stored, transmitted, and reused.
Password manager > remembering > reusing. The single biggest security improvement most users can make is adopting a password manager (Bitwarden, 1Password, KeePass) and never reusing passwords. Reuse is what turns one site's leak into account takeover everywhere. Generated passwords you don't need to remember are the natural fit — the manager handles the memory load.
"Personalised" passwords are weaker than they look. Birthdays, pet names, addresses, phone numbers — anything an attacker could derive from social media, public records, or a data breach — should never appear in a password. Same with common substitution patterns (a→@, e→3) — every cracking dictionary knows these. Truly random generation is the only safe default.
2FA matters more than password strength past a point. A 32-character random password is roughly equivalent in security to a 16-character random password protected by 2FA. The 2FA option is far more resilient against phishing, credential stuffing, and password-database leaks. Where 2FA is offered (it should be everywhere by 2026, but isn't), enable it; the password becomes the second line of defence rather than the only one.