Password Generator
Generate strong, cryptographically secure random passwords in your browser.
Written by Golam Rabbani, Founder & Lead Engineer
How to use this password generator
- Set the desired password length in the "Length (4–128)" field.
- Check or uncheck character classes: Uppercase (A–Z), Lowercase (a–z), Digits (0–9), Symbols (!@#…).
- Optionally tick "Exclude similar characters" to drop I, l, 1, O, and 0 from the alphabet.
- Enter how many passwords you need in the "Count (1–20)" field.
- Click Generate to produce the passwords, then click Copy all to copy them to your clipboard.
About this password generator
The password generator produces cryptographically random passwords of any length from 4 to 128 characters, drawn from whichever character classes you enable. The result panel shows the generated passwords alongside the entropy in bits and the effective alphabet size, so you can verify strength at a glance.
Entropy is calculated as length × log₂(alphabet size). The tool builds the working alphabet from the checked character classes — up to 94 printable ASCII characters when all four classes are enabled — then calls crypto.getRandomValues with rejection sampling to eliminate modulo bias. Rejection sampling discards any drawn value that would cause the last partial block of the alphabet to be over-represented, so every character has a perfectly equal probability of being chosen. Math.random, by contrast, uses a deterministic pseudo-random algorithm seeded from the system clock and is unsuitable for security-critical strings.
As a worked example, a 16-character password drawn from all 94 printable ASCII characters produces 16 × log₂(94) ≈ 105 bits of entropy — well above the ~80 bits commonly cited as the threshold for resistance to offline brute-force attacks. Ticking "Exclude similar characters" removes 5 glyphs (I, l, 1, O, 0) to make passwords easier to read aloud or type from a screen, reducing the alphabet to 89 characters and lowering entropy by roughly 0.9 bits per character, a negligible trade-off for most use cases.
Every calculation runs entirely in your browser using the Web Crypto API. No password is ever transmitted to a server or written to a log.
FAQ
- What does the entropy figure mean in a password generator?
- Entropy measures unpredictability in bits: entropy = length × log₂(alphabet size). A 16-character password from a 94-character alphabet has ~105 bits of entropy, meaning an attacker would need to try 2¹⁰⁵ combinations on average to guess it by brute force.
- Why does this tool use crypto.getRandomValues instead of Math.random?
- Math.random produces a deterministic sequence seeded from a predictable source, making it unsuitable for secrets. crypto.getRandomValues draws from the operating system's cryptographically secure entropy pool, so the output cannot be predicted even if an attacker knows the platform or timing.
- When should I use a passphrase instead of a random password?
- Passphrases (e.g. four random words) are easier to memorise and type while still achieving high entropy. Random character passwords are better where storage is in a password manager and you never need to type them manually — which is the more common case for most accounts today.
- Does this tool store or send the passwords it generates?
- No. The password generator runs entirely in your browser via the Web Crypto API. Nothing is sent to a server, written to a database, or logged. Closing or refreshing the page clears all generated output.
- What password length is recommended in 2026?
- NIST SP 800-63B and most current guidance recommend at least 15–16 characters for general-purpose accounts and 20+ for high-value targets like master passwords and SSH keys. Using a password manager lets you use the full 16–32 character range without memorisation burden.
- Is the password generator free?
- Yes. It is free to use with no signup, no account, and no usage limit.