Secure Password Generator
Generate cryptographically secure random passwords using window.crypto.getRandomValues(). Customize length and character sets. Nothing is ever sent to a server.
// how to use
Generate and save a strong password in three steps.
Set options
Drag the length slider (aim for 16+) and toggle character sets: uppercase, lowercase, digits, symbols.
Click Generate
Each click calls crypto.getRandomValues() — a true CSPRNG. Settings changes auto-generate.
Copy & save
Click Copy and immediately paste into a password manager. Never store passwords in plaintext.
Why use a password generator?
Humans are terrible at generating randomness. We unconsciously pick familiar words, repeat patterns, and choose dates that are easy to remember — and easy to guess. A password like Summer2024! feels complex but contains a dictionary word, a year, and a common punctuation pattern. Attackers use rule-based dictionaries that try exactly these combinations first. A truly random 16-character password from a 94-character pool is harder to crack than any "clever" human-invented password.
What makes a password strong? Two factors drive strength: length and character pool size. Adding one character to a 16-character password multiplies the search space by 94 (for a full character set). Length compounds exponentially. A 20-character random password from lowercase letters only has more entropy than a 12-character password with full character sets. Use both — long passwords with diverse characters.
Entropy explained simply. Entropy is the number of bits of information (unpredictability) in a password. A coin flip has 1 bit. A die roll has ~2.58 bits. A password drawn from a pool of 94 characters has log₂(94) ≈ 6.55 bits per character. A 16-character password using the full set yields ~105 bits. A modern GPU cluster can try about 10¹² guesses per second against a fast hash — 2¹⁰⁵ guesses would take longer than the age of the universe. Security margins matter.
Why Math.random() is NOT secure. JavaScript's Math.random() is a pseudo-random number generator designed for speed in simulations and games. Its internal state is only a few dozen bytes, and if an attacker observes enough outputs they can reconstruct the seed and predict all past and future values. window.crypto.getRandomValues() is seeded by the operating system from hardware entropy sources — keyboard timings, disk interrupts, CPU jitter — making its output computationally unpredictable. Always use crypto.getRandomValues() when security is involved.
// faq
How secure is this password generator?
It uses window.crypto.getRandomValues(), which is a CSPRNG (Cryptographically Secure Pseudo-Random Number Generator) mandated by the W3C Web Crypto specification. It is seeded by the operating system from hardware entropy and is the same source used to generate TLS session keys, cryptographic nonces, and UUIDs. It is fundamentally different from Math.random() and is approved for security-critical applications.
What is password entropy?
Entropy measures how unpredictable a password is, expressed in bits. A password drawn randomly from a pool of N characters with length L has log₂(NL) bits of entropy. Each extra bit doubles the number of guesses an attacker needs. At 128 bits of entropy, brute-force is computationally infeasible for all foreseeable hardware. Aim for at least 80 bits for a password manager-stored password, and 128+ bits for master passwords and API keys.
How long should my password be in 2026?
For regular accounts stored in a password manager: 16 characters minimum, 20+ preferred. For high-value accounts (email, banking, cloud infrastructure, password manager master password): 24-32 characters. For API keys and tokens stored in secrets managers: 32-64 random characters or the system's own key format. GPU cracking speeds double roughly every 18 months — longer passwords maintain their safety margin over time.
Should I include symbols in my password?
Yes, when the site allows them. Symbols expand the character pool from ~62 (upper + lower + digits) to ~94, adding about 10-15 extra bits of entropy for a 16-character password. If a site rejects certain symbols, simply increase length instead — adding 2 characters compensates for removing symbols. Never let symbol restrictions push you toward a shorter password; length is the primary driver of strength.
Are generated passwords stored anywhere?
No. Passwords are generated entirely within your browser's JavaScript engine using crypto.getRandomValues() and displayed on screen. No data is transmitted to any server, no analytics capture the values, and no browser storage (localStorage, cookies, sessionStorage) is written. You can verify this by opening DevTools → Network while generating passwords — you will see zero outbound requests. When you close the tab, the passwords are gone.
What is the difference between this and Math.random()?
Math.random() is a deterministic pseudo-random number generator seeded at browser startup. Security researchers have shown it can be reverse-engineered from as few as a few thousand outputs. Its internal state is typically 64-128 bits — far smaller than the passwords it would generate, meaning an attacker who observes outputs can reconstruct the seed and predict every past and future value. crypto.getRandomValues() is continuously re-seeded by the OS from hardware sources and is designed to be computationally unpredictable even with full knowledge of the implementation. Never use Math.random() for passwords, session tokens, CSRF tokens, or any security context.
// more tools
Other free browser-based utilities you might find useful.
Base64 Encoder / Decoder
Encode strings and binary data to Base64 and decode back.
Open →JSON Formatter
Beautify, minify, and validate JSON with error highlighting.
Open →URL Encoder / Decoder
Percent-encode URLs and decode them back.
Open →HTML Entity Encoder
Encode special characters to HTML entities.
Open →Epoch Converter
Convert Unix timestamps to human-readable dates.
Open →