Password Generator
Generate strong random passwords with a live entropy-based strength estimate.
4 – 128
1 – 100
About Password Generator
The Password Generator creates cryptographically random passwords using your browser's secure random number generator (Web Crypto), with full control over length and character sets. A live strength meter shows the estimated entropy in bits for your current settings, so you can see exactly how much security a length or character-set change buys you.
Generated passwords never leave your machine — there is no server, no logging and no history. Each password is also guaranteed to contain at least one character from every set you enable, which matters when a signup form enforces "at least one digit and one symbol" and you are generating test credentials that must pass that validation.
How to use
- Set the "Length" (4–128 characters) and "How many" passwords to generate at once.
- Tick the character sets to include: uppercase, lowercase, digits and symbols.
- Optionally exclude ambiguous characters (I, l, 1, O, 0, o) for passwords someone may have to read or type manually.
- Watch the strength meter update, then click "Generate passwords" and copy the results.
Frequently asked questions
Are the passwords really random and safe to use?
They are generated with crypto.getRandomValues — the browser's cryptographically secure random source, the same primitive password managers use — entirely on your device. Nothing is transmitted or stored; once you leave the page the passwords exist only where you pasted them.
What do the entropy bits mean?
Entropy measures how many guesses an attacker would need: each added bit doubles the search space. As a rule of thumb, 60+ bits resists online attacks, and 80+ bits is a solid target for anything protecting real accounts. Length increases entropy faster than adding character sets.
Why exclude ambiguous characters?
In many fonts I, l and 1 (or O, 0 and o) look nearly identical. If a password will be read from a screen, printed or typed by hand — common with test accounts shared across a team — excluding them prevents frustrating transcription failures.