What Is This Tool?
A password generator creates random passwords that are far stronger than anything a human invents. People choose memorable patterns — names, dates, keyboard walks — and attackers know every one of those patterns. A random 16-character password from a full character set has around 100 bits of entropy, which is beyond any realistic brute-force attack.
This generator uses the Web Crypto API (the same secure randomness your operating system uses for encryption keys), guarantees at least one character from every set you select, and shows an entropy-based strength estimate so you can see the effect of each option.
Why Use It?
- Truly random: cryptographically secure randomness, not the predictable Math.random().
- Fully offline — the password is generated on your device and never transmitted anywhere.
- Custom length (6–64) and character sets to match any website's password rules.
- "Exclude ambiguous characters" option (0/O, 1/l/I) for passwords you may need to read or type manually.
- Live strength meter based on real entropy, not arbitrary color bars.
How to Use
- Set the desired length with the slider (16+ recommended).
- Tick the character types you want — the more types, the stronger the password.
- Optionally exclude ambiguous characters if you'll type the password by hand.
- Click "Generate Password" (a new one also appears whenever you change an option).
- Click "Copy" and store it in a password manager.
Example
Input
Length: 16, all character types enabledOutput
K7#mQv9!xR2pWz@eAbout 105 bits of entropy — a modern GPU cluster would need longer than the age of the universe to brute-force it.
Frequently Asked Questions
Is it safe to generate a password on a website?
On this one, yes — generation happens entirely in your browser using the Web Crypto API. No network request carries the password; you can even load the page, disconnect from the internet, and generate offline.
How long should my password be?
16 characters with mixed types is a strong default for important accounts. 12 is an acceptable minimum. Length matters more than complexity: a longer password beats a shorter one with more symbols.
What does the strength estimate mean?
It's entropy: the number of bits an attacker must guess. Each added bit doubles the guessing work. Under 45 bits is weak, 70+ is strong for online accounts, and 100+ resists even offline attacks on stolen password hashes.
Should I use the same generated password on several sites?
No. When one site is breached, attackers try the leaked password everywhere else. Generate a unique password per site and keep them in a password manager — that's what managers are for.
Why exclude ambiguous characters?
Characters like 0/O and 1/l/I look identical in many fonts. If you'll ever read the password aloud or type it from paper, excluding them prevents frustrating mistakes. It slightly reduces entropy, which the strength meter reflects honestly.