devtools

Password Generator

Generate strong, random passwords in your browser with adjustable length, character sets, and a live entropy readout. Private and offline, nothing is sent.

Runs entirely in your browser — your data never leaves your device.

How to use Password Generator

What it does & when you need it

You need a password for a new database user, a service account, or a personal login, and you want it long and genuinely random rather than another variation of a phrase you already reuse. This generator builds one from the character classes you pick — lowercase, uppercase, digits, and symbols — using your browser's cryptographic random source. Nothing is generated on a server and nothing is transmitted, so the secret exists only in the tab in front of you until you copy it somewhere safe.

How to use

  1. Set the Length with the slider or the number box (4–128). For anything protecting real data, 16 or more is a sensible floor.
  2. Toggle the character classes you want — a-z, A-Z, 0-9, !@#$ — and flip No look-alikes if the password will be typed or dictated.
  3. A password appears immediately. Press Generate (or Ctrl/Cmd + Enter) to roll a fresh one with the same settings, and Sample to load a strong 24-character preset.
  4. Use Copy to grab it, then paste it straight into your password manager. Clear wipes the field when you are done.

Things worth knowing

Entropy is the number that matters, and it is arithmetic. The strength of a random password is length × log2(alphabet size) bits. Turn on all four classes and you get a 94-symbol alphabet, so a 16-character password carries about 104 bits of entropy. That is roughly 2^104 possibilities — far beyond what any offline brute-force rig can enumerate in a human lifetime. The status bar under the output shows the live bit count so you can watch it move as you change settings.

Length beats complexity, almost always. Because entropy scales with length, adding a single character multiplies the search space by the full pool size (×94 with every class on), while swapping one letter for a symbol barely nudges the total. A 24-character lowercase-only string beats a 10-character everything-on string handily. When you have to choose, make it longer before you make it fancier — a truism the strength meter on Password Strength will confirm if you paste the results in.

The randomness comes from a CSPRNG, not Math.random. Every character is drawn from crypto.getRandomValues, the Web Crypto cryptographically secure generator. Math.random is fast but predictable — its internal state can be recovered from a handful of outputs — so it must never produce secrets. This tool also uses rejection sampling when mapping random bytes onto the alphabet, so no character is subtly more likely than another (the naive modulo approach biases toward the start of the pool). At least one character from each class you enable is guaranteed, then the whole string is shuffled so those picks are not stuck in predictable positions.

"No look-alikes" trades a little entropy for fewer typos. Excluding the ambiguous glyphs l 1 I and O 0 o shrinks a full pool from 94 symbols to 88, which costs a fraction of a bit per character. In return you avoid the classic transcription errors that happen when a password is read aloud over a phone, copied off a screen, or typed on a keypad where zero and capital-O look identical. For machine-to-machine secrets that live only in a config file, leave it off and keep the extra entropy.

If you need identifiers rather than secrets, reach for the UUID Generator; and when you want to fingerprint or verify a value instead of create one, the Hash Generator computes SHA and MD5 digests entirely in the browser.

Examples

Strong all-purpose password

length: 20, lowercase, uppercase, digits, symbols

A 20-character password from the full 94-symbol pool, about 131 bits of entropy.

Human-friendly, no look-alikes

length: 24, lowercase, uppercase, digits (avoid ambiguous)

Longer and symbol-free with ambiguous glyphs removed, easy to type or dictate.

Numeric passcode

length: 12, digits

A 12-digit numeric code for PIN-style fields that only accept numbers.

Frequently asked questions

How long should a generated password be?

For anything protecting real data, use at least 16 characters. With all four character classes enabled that yields roughly 104 bits of entropy, which is far beyond offline brute-force reach. Go longer for high-value accounts or master passwords.

Does this generator send my password anywhere?

No. Every password is created locally with your browser's Web Crypto generator and never leaves the page. There is no network request, so the secret exists only in your tab until you copy it into a password manager.

What makes a password stronger, length or symbols?

Length. Entropy grows as length times log2 of the alphabet size, so adding one character multiplies the search space by the whole pool, while swapping a letter for a symbol barely changes the total. Make it longer before you make it fancier.

Does the tool use a secure random source?

Yes. It draws from crypto.getRandomValues, the cryptographically secure generator, not Math.random. It also uses rejection sampling when mapping bytes onto the alphabet so no character is more likely than another due to modulo bias.

What does "avoid look-alikes" do?

It removes the ambiguous glyphs l, 1, I, O, 0 and o from every class. That shrinks a full pool from 94 to 88 symbols, a tiny entropy cost, in exchange for far fewer typos when the password is read aloud or typed by hand.

Can I generate a password without symbols?

Yes. Turn off the symbols class if a system rejects punctuation, and the generator will still guarantee at least one character from each remaining class you leave enabled. You can restrict it to digits only for a numeric passcode too.