Password Generator

Create strong, secure passwords with our powerful online tool. Features include customizable length, character options, strength indicators, and clipboard integration.

Cryptographically secure. Passwords are generated with the Web Crypto API (crypto.getRandomValues) using rejection sampling to eliminate modulo bias — safe for real-world use, not Math.random (which is a non-cryptographic PRNG).

Password Generator Options

Number of Passwords

Password Length: 16

Uppercase (A-Z)

Lowercase (a-z)

Numbers (0-9)

Symbols (!@#$%^&*)

Exclude Similar Characters (e.g. I, l, 1, O, 0)

Include Characters

Exclude Characters

Show Passwords

Results (0 passwords)

Want the background behind this tool? Secure Passwords: Practical Developer Guide

You're signing up for a new service, the password field demands "at least 12 characters with one number and one symbol", and you're about to type something based on your dog's name. Don't. This generator draws bytes from window.crypto.getRandomValues— the browser's CSPRNG — and maps them into the character classes you pick. The result has measurable entropy, no patterns, and no relationship to anything an attacker could phish or guess from your social media.

Generation is local. The password never enters a network request, isn't logged, and disappears the moment you close the tab. Copy it into your password manager and move on.

How to use it

Pick a length — 16+ for most accounts, 20+ for password manager masters and root credentials.
Toggle character classes — uppercase, lowercase, digits, symbols. Disable symbols only when a system literally rejects them.
Generate a batchif you're seeding test fixtures or onboarding multiple service accounts.
Exclude similar characters (l 1 I O 0) when anyone might have to read or type the password manually.
Copy or download the result and paste it into your password manager — never email it, never put it in a chat log.

Entropy cheat sheet

Entropy is the number of bits of randomness in the password — basically log2(pool_size^length). Each extra bit doubles the brute-force effort.

Length	Pool	Entropy	Crack at 1T guesses/sec
8	a-z (26)	~37 bits	~2 minutes
8	A-Za-z0-9 (62)	~47 bits	~36 hours
12	+symbols (94)	~78 bits	~9 billion years
16	+symbols (94)	~104 bits	Heat death of sun
6 words	diceware (7776)	~77 bits	~5 billion years

The "1T guesses/sec" figure is for a fast offline crack against a leaked hash. Online services with rate limiting are far slower, so even a weakish password takes years to crack — but assume every database eventually leaks and plan for the offline attacker.

Random passwords vs. diceware passphrases

A passphrase like correct-horse-battery-staple(XKCD #936) draws 5-6 words from a 7,776-word wordlist (Diceware). Six words give ~77 bits of entropy — comparable to a 12-character random password — but they're dramatically easier to memorize and type on a phone keyboard. Use diceware for passwords you have to remember (password manager master, full-disk encryption, recovery seed for accounts you might lose access to). Use the random generator for everything that lives inside a password manager and you'll never actually type.

Threats your password defends against

Credential stuffing — reusing the same password across services means a leak on one site cracks your account on every other site. Unique passwords per service is the single biggest win.
Dictionary attacks — attackers try millions of common passwords (rockyou.txt, breach compilations) before brute-forcing. Random output side-steps this entirely.
Pattern-based guessing — Markov models trained on leaked passwords predict next characters with surprising accuracy. True randomness defeats this.
GPU brute force — modern GPUs hash billions of candidates per second against MD5/SHA-1 leaks. 16+ character output makes the search space too large to enumerate.

What this doesn't protect against

Phishing pages that capture your real password as you type it. Keyloggers on compromised machines. Server-side breaches that leak plaintext or weakly hashed passwords. Social engineering. SIM-swap attacks against SMS 2FA. The fix for these is hardware security keys (YubiKey, passkeys), a password manager that auto-fills only on the correct domain, and disabling SMS 2FA wherever you can swap it for TOTP or WebAuthn.

Frequently asked questions

Q: Why is Math.random() not safe for passwords?

Math.random()uses a PRNG (typically xorshift128+ in V8) designed for speed, not unpredictability. The output is statistically uniform but its internal state can be recovered by observing a few outputs, after which all future and past outputs are deterministic. The Web Crypto API's crypto.getRandomValues() sources from the OS entropy pool (/dev/urandom, BCryptGenRandom), which is designed to be unpredictable even to a determined attacker.

Q: How long does a 16-character password actually last against brute force?

Against a modern offline GPU rig hashing SHA-256 at ~100 GH/s, a 16-char password from a 94-symbol pool (104 bits) takes longer than the heat death of the sun. Against bcrypt with cost 12 (~100 hashes/sec), the same password is unbreakable in any realistic timeframe. The variable is the hashing algorithm on the server side, not the password — which is why reused passwords are far more dangerous than "weak" ones.

Q: Should I rotate passwords every 90 days?

No. NIST SP 800-63B explicitly recommends against scheduled rotation because it leads users to pick weaker passwords with predictable increments (Password1 → Password2). Rotate only when you have evidence of compromise: a breach notification, a haveibeenpwned hit, or a suspicious login. Otherwise, use a long unique password per service and a password manager and leave them alone.

Q: My bank requires exactly 8-12 characters and no symbols — what do I do?

Use the maximum length allowed and the largest character set permitted, enable 2FA (preferably hardware key or TOTP, not SMS), and pressure the bank to fix their policy — it's 2026 and that requirement suggests they truncate or insecurely store passwords. In the meantime, store the password in a manager so a leak there doesn't cascade, and watch for unusual activity.

Q: Is "Exclude similar characters" weakening my password?

Slightly — you're shrinking the character pool from 94 to ~88, which costs about 0.1 bit of entropy per character. For a 16-char password, that's ~1.5 bits less, which is irrelevant in practice. Enable it whenever a human has to read the password aloud or type it on an unfamiliar keyboard.

Q: Are passkeys going to replace passwords?

For most consumer accounts, yes. Passkeys (WebAuthn) are tied to a device-stored key pair, sync via Apple/Google/Microsoft, and resist phishing because the browser only signs for the legitimate domain. Use passkeys wherever offered, but keep generating strong passwords for the long tail of services that don't support WebAuthn yet — and for recovery flows when you lose your devices.

Related guides

Secure Passwords: Practical Developer Guide

What entropy, length, uniqueness, and randomness actually buy you, plus the password manager habits that prevent one breach from becoming many.

Bcrypt vs Argon2: Password Hashing Guide

Why bcrypt remains common despite Argon2 winning the PHC competition. Cost factor tuning, salting, scrypt and PBKDF2 alternatives, and how to migrate without forcing reset emails.

Related Tools

QR Code Generator

Generate QR codes for URLs, WiFi, VCard, Email, Phone and more with customization.

Secure Passwords: Practical Developer Guide8 min read Understanding Hash Functions: MD5 vs SHA-256 Explained9 min read Regular Expressions for Beginners: A Practical Guide with Examples12 min read