Security
Password Generator
The Password Generator creates cryptographically secure random passwords using the browser's crypto.getRandomValues() API. You can configure the length, character sets (uppercase, lowercase, digits, symbols), and minimum requirements per character class. The tool displays the entropy in bits for each generated password so you can assess its strength. Nothing is ever sent to any server.
What makes a password strong?
A strong password has high entropy – the number of bits required to represent all possible passwords of that length and character set. Entropy is calculated as log2(character set size ^ password length). A 12-character password using all 94 printable ASCII characters has log2(94^12) ≈ 78.8 bits of entropy, which is currently considered strong against offline brute-force attacks. NIST SP 800-63B recommends at minimum 8 characters but advocates for passphrases and machine-generated random passwords over human-chosen ones. For high-security contexts, 128 bits of entropy (about 20 random alphanumeric characters) is recommended.
How does the generator work?
The tool generates a password by sampling random integers from the browser's CSPRNG (crypto.getRandomValues()) and mapping them to characters from the enabled character sets using rejection sampling – a method that ensures uniform distribution without modulo bias. Rejection sampling discards sampled values that would create bias toward lower-index characters when the character set size does not evenly divide the random integer range. After generation, the password is checked against minimum character class requirements (e.g. at least 1 digit, at least 1 symbol); if not met, the password is regenerated until all requirements are satisfied.
Typical Use Cases
- Generating a strong random password for a new account or service
- Creating database credentials, API keys, or service account passwords
- Producing passwords that meet specific complexity policies (min uppercase, digits, symbols)
- Generating multiple passwords at once for batch account setup
Step-by-step Guide
- Step 1: Set the desired password length (16–32 characters recommended for most uses).
- Step 2: Enable or disable character sets: uppercase, lowercase, digits, symbols.
- Step 3: Set minimum requirements per character class if your policy requires them.
- Step 4: Click 'Generate' and copy the password to your password manager.
Example
Input
Length: 20, all character sets enabled
Output
gT#7mK!qR2@vNxWpJ$4Y (example; each generation is unique)
Tips & Notes
- Aim for at least 16 characters for new accounts; 12 characters is the minimum for acceptable security in 2024.
- Store generated passwords in a password manager (Bitwarden, 1Password, KeePass) – never reuse passwords across sites.
- Higher entropy is always better; using all character sets (94 printable ASCII) gives more entropy per character than limiting to alphanumeric (62 characters).
Frequently Asked Questions
Is the password generated securely?
Yes. The tool uses crypto.getRandomValues(), the browser's CSPRNG (Cryptographically Secure Pseudo-Random Number Generator), which is suitable for cryptographic purposes. Math.random() is not used.
What does 'entropy' mean for a password?
Entropy (measured in bits) quantifies how unpredictable a password is. Each additional bit of entropy doubles the number of guesses an attacker needs. 60 bits ≈ marginally acceptable; 80 bits ≈ good; 128+ bits ≈ very strong.
Should I use a passphrase instead of a random password?
Passphrases (e.g. BIP39 words or Diceware words) are easier to memorize while still providing good entropy. For accounts you need to remember, a 5–6 word passphrase is a good choice. For accounts stored in a password manager, a random password is equally good and often meets site character requirements more easily.
Password Generator
Generate cryptographically secure passwords with configurable length and character set.
Open Tool