About Password Generator
Generate strong, random passwords with custom length and character rules. Free secure password generator that runs locally in your browser — nothing is sent to any server.
How to use
- Set the length first — it matters more than every other setting combined. 12 characters is the modern minimum for general accounts; 16+ for email, banking, password manager master passwords, and anything that recovers other accounts. Concrete entropy targets per NIST SP 800-63B: 12 chars with all character types ≈ 78 bits, 16 chars ≈ 104 bits, 20 chars ≈ 130 bits. Online accounts need 50+ bits (rate limiting protects you); offline-stealable hashes need 80+ bits to survive GPU cracking.
- Toggle character classes: uppercase A-Z (26 chars), lowercase a-z (26), digits 0-9 (10), symbols !@#$%^&* (~32). All four enabled gives a 94-character pool — the per-character entropy is log2(94) ≈ 6.55 bits. Drop symbols and you fall to log2(62) ≈ 5.95 bits per character; you have to add 1-2 length to compensate. Some legacy systems reject symbols entirely; if a site rejects your password, lengthen instead of weakening.
- Enable "exclude similar characters" if the password will ever be typed manually — this strips visually-confusable pairs like
0/O/o, 1/l/I, and 5/S. You lose a tiny amount of entropy (the pool shrinks by ~6 chars) but recover from typing errors that would otherwise lock you out. For copy-paste-only passwords stored in a password manager, leave this off and keep maximum entropy.
- Click Generate. The tool draws from
crypto.getRandomValues() — the browser's CSPRNG, seeded from the OS entropy pool (the same source TLS keys come from). This is fundamentally different from Math.random(), which is a Mersenne Twister or xorshift PRNG that can be reverse-engineered after observing 624 outputs. Never use Math.random() for anything security-related; this tool does not.
- Verify the entropy estimate displayed alongside the password. The bar should read 80+ bits for serious use; below 60 bits and you should lengthen or add character types. Length contributes more entropy per character added than enabling another character class — going from 12 to 16 chars adds ~26 bits, while enabling symbols on a 12-char password adds only ~7 bits.
- Click Copy and paste straight into your password manager (Bitwarden, 1Password, KeePass, or browser-built-in). Do not memorize it — memorization defeats the purpose. The whole strategy is: one strong, memorable master password (use a 6-word Diceware passphrase, ~77 bits) that unlocks the vault, plus unique random passwords for every account. The average user has 80-100 accounts; no human can memorize 80 random 16-char strings.
- Pair with two-factor authentication (TOTP via authenticator app — RFC 6238 — or hardware key like YubiKey using FIDO2/WebAuthn). 2FA is more important than password complexity for online accounts because it protects against credential stuffing and phishing in ways no password length can. NIST guidance since 2017 explicitly stops recommending periodic password rotation — change passwords only on suspected compromise, not every 90 days.
Frequently asked questions
How long should a password be?
At least 12 characters for general accounts and 16 or more for high-value accounts. Password length is the single most important factor in resistance to brute-force attacks. A 12-character password using all character types has approximately 72 bits of entropy, while a 16-character password has approximately 98 bits. At current computing speeds, 72 bits takes decades to brute-force, while 98 bits is infeasible with any foreseeable technology. NIST Special Publication 800-63B recommends supporting passwords up to 64 characters or more.
What makes a password strong?
Three factors: length, character diversity, and true randomness. A strong password should be at least 12 characters long, use a mix of uppercase, lowercase, numbers, and symbols, and be generated by a cryptographic random number generator — not chosen by a human. Human-chosen passwords are predictable: we tend to capitalize the first letter, put numbers at the end, and substitute obvious characters like @ for 'a'. Attackers know all of these patterns and test for them first.
Is it safe to generate passwords here?
Yes. This tool uses the Web Crypto API (crypto.getRandomValues()), a built-in browser feature that generates cryptographically secure random numbers using your operating system's entropy pool. No password data is ever transmitted over the network — the entire generation process happens locally on your device. The generated password exists only in your browser's memory until you copy it. For maximum security, close the tab after copying.
Passphrase vs password?
A passphrase is a sequence of random words (e.g., 'correct-horse-battery-staple') rather than random characters. Passphrases are significantly easier to memorize and type, making them ideal for master passwords that you need to enter manually. A 4-word passphrase from a 7,776-word dictionary (Diceware standard) has about 51 bits of entropy, while a 6-word passphrase has 77 bits. For accounts where you copy-paste from a password manager, random character passwords are more compact and offer higher entropy per character.
How often should I change passwords?
NIST (the National Institute of Standards and Technology) updated its guidelines in 2017 to explicitly recommend against routine password rotation. Frequent mandatory changes lead to weaker passwords because users resort to predictable patterns (Password1, Password2, Password3). Instead, change a password only when there is evidence of compromise — such as a data breach notification, suspicious account activity, or if you shared the password with someone. Focus your security effort on using unique passwords for every account and enabling two-factor authentication (2FA).
What is password entropy and how much do I need?
Entropy measures the unpredictability of a password in bits. Each bit doubles the number of possible passwords an attacker must try. A password with 40 bits of entropy has about 1 trillion possibilities; 80 bits has about 1.2 septillion. For online accounts (where rate limiting slows attackers), 40-50 bits is often sufficient. For offline attacks (where an attacker has a stolen password hash and can try billions of guesses per second), you need 80+ bits. This generator shows the estimated entropy for each password it creates.
Why should I use a password manager?
The average person has 80-100 online accounts, and every account should have a unique, randomly generated password. No human can memorize that many passwords, which is why password managers exist. A password manager stores all your passwords in an encrypted vault secured by one master password. Leading options include Bitwarden (free and open-source), 1Password, KeePass (offline), and the built-in managers in Chrome, Firefox, and Safari. Using a password manager with this generator is the single most effective thing you can do for your online security.
Are generated passwords more secure than ones I make up?
Yes, dramatically so. Humans are terrible at generating randomness — we gravitate toward dictionary words, names, dates, keyboard patterns (qwerty, 123456), and simple substitutions (p@ssw0rd). Attackers have massive dictionaries of these patterns and test them first. A truly random 12-character password generated by a cryptographic RNG has far more entropy than a 20-character human-chosen password because it contains no exploitable patterns. Let the machine handle randomness and let your password manager handle storage.
Part of ToolFluency’s library of free online tools for Developer Tools. No account needed, no data leaves your device.