QA Toolbox

Password Generator

Generate strong random passwords with a live entropy-based strength estimate.

4 – 128

1 – 100

Estimated strengthVery strong · ~102 bits of entropy

About Password Generator

The Password Generator creates cryptographically random passwords using your browser's secure random number generator (Web Crypto), with full control over length and character sets. A live strength meter shows the estimated entropy in bits for your current settings, so you can see exactly how much security a length or character-set change buys you.

Generated passwords never leave your machine — there is no server, no logging and no history. Each password is also guaranteed to contain at least one character from every set you enable, which matters when a signup form enforces "at least one digit and one symbol" and you are generating test credentials that must pass that validation.

How to use

  1. Set the "Length" (4–128 characters) and "How many" passwords to generate at once.
  2. Tick the character sets to include: uppercase, lowercase, digits and symbols.
  3. Optionally exclude ambiguous characters (I, l, 1, O, 0, o) for passwords someone may have to read or type manually.
  4. Watch the strength meter update, then click "Generate passwords" and copy the results.

Frequently asked questions

Are the passwords really random and safe to use?

They are generated with crypto.getRandomValues — the browser's cryptographically secure random source, the same primitive password managers use — entirely on your device. Nothing is transmitted or stored; once you leave the page the passwords exist only where you pasted them.

What do the entropy bits mean?

Entropy measures how many guesses an attacker would need: each added bit doubles the search space. As a rule of thumb, 60+ bits resists online attacks, and 80+ bits is a solid target for anything protecting real accounts. Length increases entropy faster than adding character sets.

Why exclude ambiguous characters?

In many fonts I, l and 1 (or O, 0 and o) look nearly identical. If a password will be read from a screen, printed or typed by hand — common with test accounts shared across a team — excluding them prevents frustrating transcription failures.

Related tools