Skip to main content

Password Generator

Generate secure random passwords with custom length, character types, and a live strength indicator.

Password generator creates cryptographically secure random passwords using the browser's native crypto API. Set the length between 8 and 64 characters and toggle uppercase letters, lowercase letters, numbers, and symbols. A live strength indicator rates the password as weak, fair, strong, or very strong based on length and character variety. No passwords are sent to any server.

Generated Password

5vteFb5FSr5TB7X1

Password strengthStrong
16
864

Include

Frequently Asked Questions

How strong should a password be?
A strong password should be at least 12 characters long and mix uppercase letters, lowercase letters, numbers, and symbols. Passwords with all 4 character types and 16 or more characters are rated very strong. Avoid dictionary words, names, and predictable patterns like 123 or abc.
Is it safe to use an online password generator?
Yes, if the generator runs entirely in your browser. The SubtleCrypto API generates cryptographically random values locally. No password is transmitted to any server. You can also use it offline after loading the page.
What makes a password cryptographically secure?
A cryptographically secure password uses true randomness rather than a predictable algorithm. The browser crypto API reads entropy from the operating system hardware random number generator. The output is unpredictable even to the tool itself.
How long should a password be?
For personal accounts, 12 to 16 characters is adequate. For banking and email, use 16 or more. For master passwords in a password manager, use 20 or more. Longer passwords are exponentially harder to crack.
Should I use a password manager?
Yes. A password manager stores unique, strong passwords for every account. You only remember one master password. Store generated passwords in Bitwarden, 1Password, or your browser's built-in vault.

What is a password generator?

A password generator creates random character strings for use as account passwords. Human-chosen passwords tend to be predictable: people reuse passwords, pick names or dates, and follow keyboard patterns. A generator bypasses all of that by producing values no human would guess or remember.

The Web Crypto API (window.crypto.getRandomValues) powers this tool. The API reads entropy from the operating system's hardware random number generator. The output is cryptographically unpredictable, meaning no attacker can reproduce it even knowing the algorithm.

How the password generator works

Set the desired length using the slider (8 to 64 characters). Toggle the four character pools: uppercase letters (A-Z), lowercase letters (a-z), digits (0-9), and symbols. Click Generate to produce a new password from the enabled pools.

The strength indicator rates the result. Passwords under 8 characters are rated weak regardless of character variety. Passwords with 2 or 3 character types and 12 or more characters are rated fair or strong. Passwords with all 4 types and 16 or more characters are rated very strong.

Why password strength matters

Password attacks work by guessing. Brute force tries every possible combination. Dictionary attacks try common words and variations. Credential stuffing replays passwords leaked from other breaches.

The key metric is the password's entropy: the number of possible combinations an attacker must check. A password with 8 lowercase letters has 26^8 = 208 billion combinations. Adding all 4 character types at 16 characters reaches 94^16 combinations. That is about 3.7 × 10^31, far beyond any cracking rig operating within a human lifespan.

Best practices for password security

  • Never reuse passwords. A single breach at one site exposes every account sharing that password. Use a unique password for every account.
  • Use a password manager. Remembering dozens of random 16-character strings is impossible. A manager stores them securely behind one strong master password.
  • Enable two-factor authentication (2FA) on all accounts that support it. Even a strong password alone is not enough if a phishing attack captures it.
  • Change passwords after any confirmed breach. Check haveibeenpwned.com to see if your email has appeared in a known data leak.

Related tools

Base64 Encoder / Decoder

Text

Encode text to Base64 or decode Base64 back to plain text instantly.

MD5 & SHA Hash Generator

Developer

Generate MD5, SHA-1, SHA-256, and SHA-512 hashes from any text instantly in your browser.

QR Code Generator

Utilities

Generate QR codes for URLs, text, WiFi, contacts, and more. Download as PNG or SVG.

Share this tool