How to use Password Generator
What it does & when you need it
You need a password for a new database user, a service account, or a personal login, and you want it long and genuinely random rather than another variation of a phrase you already reuse. This generator builds one from the character classes you pick — lowercase, uppercase, digits, and symbols — using your browser's cryptographic random source. Nothing is generated on a server and nothing is transmitted, so the secret exists only in the tab in front of you until you copy it somewhere safe.
How to use
- Set the Length with the slider or the number box (4–128). For anything protecting real data, 16 or more is a sensible floor.
- Toggle the character classes you want — a-z, A-Z, 0-9, !@#$ — and flip No look-alikes if the password will be typed or dictated.
- A password appears immediately. Press Generate (or
Ctrl/Cmd+Enter) to roll a fresh one with the same settings, and Sample to load a strong 24-character preset. - Use Copy to grab it, then paste it straight into your password manager. Clear wipes the field when you are done.
Things worth knowing
Entropy is the number that matters, and it is arithmetic. The strength of a
random password is length × log2(alphabet size) bits. Turn on all four classes
and you get a 94-symbol alphabet, so a 16-character password carries about 104
bits of entropy. That is roughly 2^104 possibilities — far beyond what any
offline brute-force rig can enumerate in a human lifetime. The status bar under
the output shows the live bit count so you can watch it move as you change
settings.
Length beats complexity, almost always. Because entropy scales with length, adding a single character multiplies the search space by the full pool size (×94 with every class on), while swapping one letter for a symbol barely nudges the total. A 24-character lowercase-only string beats a 10-character everything-on string handily. When you have to choose, make it longer before you make it fancier — a truism the strength meter on Password Strength will confirm if you paste the results in.
The randomness comes from a CSPRNG, not Math.random. Every character is
drawn from crypto.getRandomValues, the Web Crypto cryptographically secure
generator. Math.random is fast but predictable — its internal state can be
recovered from a handful of outputs — so it must never produce secrets. This
tool also uses rejection sampling when mapping random bytes onto the alphabet, so
no character is subtly more likely than another (the naive modulo approach biases
toward the start of the pool). At least one character from each class you enable
is guaranteed, then the whole string is shuffled so those picks are not stuck in
predictable positions.
"No look-alikes" trades a little entropy for fewer typos. Excluding the
ambiguous glyphs l 1 I and O 0 o shrinks a full pool from 94 symbols to 88,
which costs a fraction of a bit per character. In return you avoid the classic
transcription errors that happen when a password is read aloud over a phone,
copied off a screen, or typed on a keypad where zero and capital-O look
identical. For machine-to-machine secrets that live only in a config file, leave
it off and keep the extra entropy.
If you need identifiers rather than secrets, reach for the UUID Generator; and when you want to fingerprint or verify a value instead of create one, the Hash Generator computes SHA and MD5 digests entirely in the browser.