Password Generator
Generate strong, customizable passwords.
Your 5 passwords
Generated locally using the Web Crypto API. Nothing is ever sent anywhere.
About Password Generator
A password generator that uses the Web Crypto API for proper randomness, never sends data anywhere, and lets you generate up to 30 passwords at a time.
Why we built it
Most online password generators run on remote servers — which is a terrible place to generate passwords. This one runs entirely in your browser using Web Crypto.
How to use
- 1Pick a password length (recommended: 16+).
- 2Toggle uppercase, numbers and symbols as needed.
- 3Hit Generate and copy with one click.
A password is only as good as the entropy behind it. "Tr0ub4dor&3" — the canonical "strong" password from xkcd 936 — has about 28 bits of entropy because the structure is so predictable. A truly random 16-character password using all 95 printable ASCII characters has about 105 bits of entropy: a brute-force attack at a trillion guesses per second would take longer than the age of the universe. This generator uses cryptographically secure randomness so what you get is real entropy, not theatrical complexity.
The Web Crypto API, and why we use it
Browser JavaScript has two random number generators. `Math.random()` is fast and convenient but uses a non-cryptographic PRNG — its output is statistically random but predictable to an attacker who can observe a few outputs. `crypto.getRandomValues()` is part of the Web Crypto API and is backed by the operating system's entropy pool, the same source TLS session keys come from. This generator uses the second one. There is no scenario in which `Math.random()` is acceptable for password generation.
Length, character set, and entropy
Entropy per character equals log₂(charset size). Lowercase alphabet is log₂(26) ≈ 4.7 bits. Lowercase + uppercase is log₂(52) ≈ 5.7 bits. Add digits: log₂(62) ≈ 5.95 bits. Add all printable symbols: log₂(95) ≈ 6.57 bits. Multiply by length. A 12-character password with the full keyboard charset is ~79 bits; a 16-character one is ~105 bits; a 20-character one is ~131 bits. Anything past ~80 bits is brute-force-resistant against any plausible adversary, including state actors with unlimited budgets. Pad past that for a margin.
Length always beats complexity
A 20-character all-lowercase password (94 bits) is stronger than a 12-character password with mixed case, digits, and symbols (79 bits). When systems force "must include a symbol and a digit and a capital and a number", they often shrink usable charset variance per character (people predictably add `!` and `1`). If you can pick length, pick length. Passphrases (four to six random dictionary words) are a great alternative — diceware-style passphrases at six words have about 78 bits of entropy and are far easier to type or remember.
Where these passwords should live
Not in a spreadsheet, not in Notes.app, not in a `.env` file you keep meaning to encrypt. Generate the password here, put it in a password manager — 1Password, Bitwarden, Apple Passwords (the macOS/iOS-native one is genuinely good as of 2026), Proton Pass. The password manager remembers it; you remember the manager's master password (which should be 20+ characters and not reused anywhere). Never reuse passwords across sites — that single rule prevents most practical account takeovers, which come from credential-stuffing attacks using leaked breaches from one site against another.
Frequently asked questions
Quick answers to the questions people actually ask about Password Generator.
Are these passwords actually secure?
Are these passwords actually secure?
Yes — they use the Web Crypto API's `crypto.getRandomValues()`, which is a cryptographically secure pseudo-random number generator backed by the operating system's entropy pool. It's the same primitive your browser uses to generate TLS session keys. We do not use `Math.random()`, which is not safe for passwords or secrets.
How long should my password be?
How long should my password be?
Length beats character variety. A 16-character password with mixed case, numbers, and symbols has roughly 100 bits of entropy — uncrackable by anything that exists today. A 20-character one is comfortably future-proof. For master passwords (password managers, encryption), go to 24+. Avoid anything under 12 unless the site arbitrarily caps it.
Should I include symbols?
Should I include symbols?
If the site accepts them, yes — each additional character class roughly doubles the search space per position. But length matters more than character variety. A 24-character all-lowercase password is stronger than a 10-character one with every symbol on your keyboard. Some legacy systems break on certain symbols (`'`, `"`, `\`) — if a password seems to fail, try regenerating without those.
Is the password ever sent anywhere?
Is the password ever sent anywhere?
Never. Generation, the strength meter, and the copy-to-clipboard action all run locally. No analytics call. No "check if this password has been leaked" lookup. If you want to verify it against haveibeenpwned, do that yourself — we deliberately don't.
Can I generate passwords in bulk?
Can I generate passwords in bulk?
Yes — flip on bulk mode and pick a count up to 30. Each password is generated with a fresh call to `crypto.getRandomValues()`. Useful for seeding test accounts, creating per-service passwords for a manager you're populating, or generating temporary credentials.
What's a strong password manager pairing?
What's a strong password manager pairing?
Generate the password here, save it to 1Password, Bitwarden, or Apple Passwords (the built-in macOS/iOS one is solid in 2026). Never reuse passwords across sites — that single rule prevents 90% of practical account takeovers, which come from credential stuffing using leaked breaches.