What this password generator does
Every password here is produced inside your browser by crypto.getRandomValues, the operating system’s cryptographic random number generator — the same source of randomness password managers rely on. Nothing is sent anywhere: there are no network requests, no server-side processing and no logs. You could switch off your connection and the tool would keep working. It also uses rejection sampling to remove modulo bias and guarantees at least one character from each enabled type.
How to use it
- Drag the length slider (8 to 64 characters — aim for at least 16).
- Tick the character types the site allows. With all four enabled the alphabet holds 94 characters.
- Hit Regenerate until you get one you like; each result is drawn independently.
- Press Copy and paste it straight into a password manager rather than a notes app or an email draft.
The strength bar reflects entropy in bits: under 50 bits is weak, 50 to 80 is fair, 80 to 110 is strong, and above 110 is excellent.
Entropy: the math behind the strength bar
For a truly random password, strength is measured in bits of entropy: bits = length × log₂(N), where N is the alphabet size. Each extra bit doubles the number of guesses an attacker would need to exhaust every combination. This math only holds for random output — a human-made password like “Summer2026!” follows predictable patterns, so its effective entropy is far below what the formula suggests.
Worked example
Take 20 characters with all four types on. The alphabet is 26 lowercase + 26 uppercase + 10 digits + 32 symbols = 94 characters, and log₂(94) ≈ 6.55 bits per character. That gives 20 × 6.55 ≈ 131 bits — comfortably in the excellent band. The default setting of 16 characters lands at 16 × 6.55 ≈ 105 bits, already strong for any online account.
Length beats complexity
Adding symbols to a letters-only alphabet raises the per-character entropy from 5.70 to 6.55 bits — a modest gain. Adding characters raises total entropy linearly, with no ceiling. A 16-character letters-only password (≈ 91 bits) beats a 10-character password that uses everything (≈ 66 bits). When a site limits which symbols it accepts, just make the password longer.
| Length | Letters only (52) | All four types (94) |
|---|---|---|
| 10 | 57 bits | 66 bits |
| 14 | 80 bits | 92 bits |
| 16 | 91 bits | 105 bits |
| 20 | 114 bits | 131 bits |
| 28 | 160 bits | 184 bits |
Password managers and passkeys
Nobody can memorize dozens of random strings — that’s the job of a password manager. It generates, stores and fills a unique password per site, so one breached service can’t unlock the others. The only thing you memorize is a long master password. Where available, prefer passkeys: a newer standard that replaces passwords entirely with cryptographic key pairs bound to your device and unlocked by fingerprint or face. They can’t be phished.
Frequently asked questions
What’s a good password length?
16 characters or more with several character types (~105 bits) covers everyday accounts. For your primary email, banking or your manager’s master password, go to 20+. If a site enforces a short maximum, enable all four character types to squeeze out extra entropy.
Is it safe to generate a password online?
It depends on where the generation happens. This tool runs entirely client-side: the randomness comes from your own device and the result never leaves it. Be wary of generators that build the password on a server — it would travel over the network and could be logged along the way.
How often should I change my passwords?
Current guidance (NIST) says don’t rotate on a schedule. Change a password only when there’s a reason: a breach at that service, suspicious activity, or you shared it. Forced periodic rotation trains people into weak incremental patterns like appending the year.
What is a passphrase?
A string of words picked at random from a word list — “ostrich-velvet-canyon-drum-lattice” style. Using the diceware method with a 7,776-word list, each word adds about 12.9 bits, so six words reach roughly 77 bits while staying easy to type and remember. It’s the ideal format for the one password you must memorize: your manager’s master password.