Why Use a Password Generator?
Human-chosen passwords are predictable. Studies of leaked password databases consistently show that people pick names, dates, keyboard patterns, and dictionary words — patterns that attackers exploit first. A cryptographically random password removes all predictability.
How This Tool Works
All generation runs locally in your browser using the Web Crypto API (crypto.getRandomValues()). This API draws from the operating system’s entropy pool — the same source used by TLS, SSH key generation, and professional password managers. No data is sent to any server.
Choosing the Right Settings
| Goal | Recommended Settings |
|---|---|
| Email / social media | 16 chars, all sets (A–Z, a–z, 0–9, symbols) |
| Banking / finance | 20+ chars, all sets |
| Master password | 6-word passphrase or 24+ chars |
| API keys / secrets | 32 chars, all sets |
| Child-friendly | Passphrase mode, 4 words, space separator |
Understanding Password Strength
Strength is measured in entropy bits — the number of bits of information needed to represent your password’s randomness:
| Strength | Bits | Example |
|---|---|---|
| Very Weak | < 28 | pass123 |
| Weak | 28–35 | 8 lowercase letters |
| Moderate | 36–59 | 10 mixed chars |
| Strong | 60–127 | 16 chars, all sets |
| Very Strong | 128+ | 24+ chars, all sets |
For accounts that matter, aim for Strong (60+ bits) or better.
Password vs. Passphrase
Passwords — random character strings like Kx9#mQ2vPn!4 — are highly secure but hard to remember. Best stored in a password manager.
Passphrases — sequences of random words like bolt-cool-hawk-firm — are easier to type and remember while still being much stronger than typical human-chosen passwords. A 6-word passphrase from a large word list can exceed 70 bits of entropy.
Best Practices
- Use a password manager — generate and store unique passwords for every account. Never reuse.
- Enable two-factor authentication (2FA) — a strong password plus 2FA is far harder to compromise than either alone.
- Never share passwords — not via email, SMS, or messaging apps. Use a password manager’s sharing feature if needed.
- Update after breaches — check services like Have I Been Pwned to see if your credentials appeared in a leak, then rotate those passwords.
- Avoid password hints — security questions with answers you actually know reduce security. Use random answers stored in your password manager.
Why crypto.getRandomValues() Is Secure
Standard Math.random() is a pseudo-random number generator (PRNG) seeded with a predictable value — it is not suitable for security purposes. crypto.getRandomValues() uses the OS entropy pool, which collects unpredictable data from hardware events, timing jitter, and other sources. This is the same foundation used by cryptographic libraries worldwide.
Privacy
This tool makes zero network requests. Open your browser’s Developer Tools → Network tab and click Generate — you will see no outgoing connections. Your passwords are generated on your device and are never transmitted, logged, or stored anywhere.