Password Generator

Why use a password generator?

Human beings are bad at picking random passwords — not because of lack of effort, but because the brain naturally gravitates toward memorable patterns. Birthdays, pet names, dictionary words with a number appended, keyboard walks like qwerty123. These patterns are well-catalogued in the wordlists that attackers feed to cracking tools. A strong password generator sidesteps the problem entirely: it samples from a cryptographic random source with no bias toward any pattern, so the output has no structure for an attacker to exploit. The math works unconditionally, regardless of how creative or unusual you think your chosen password is. For any account that matters, a random password is simply better than a human-chosen one.

What makes a password strong?

Two factors determine how long a password takes to crack by brute force: length and character set size. Their product — expressed in bits of entropy — is the single number that captures password strength. The formula is:

entropy (bits) = length × log2(alphabet_size)

Each additional bit of entropy doubles the number of guesses an attacker must make. A password with 70 bits of entropy requires roughly 2⁷⁰ guesses to crack exhaustively — about 1.18 quadrillion attempts. That sounds large, but a modern GPU cluster can test billions of hashes per second, so context matters. Here are concrete reference points:

• 8 chars, lowercase only — alphabet 26, entropy ~38 bits. Crackable in seconds by a single modern GPU.
• 12 chars, mixed case + digits — alphabet 62, entropy ~71 bits. Minutes to hours depending on the hash algorithm.
• 16 chars, mixed case + digits + symbols — alphabet ~94, entropy ~104 bits. Effectively infeasible: centuries of compute even across a large GPU fleet.
• 20 chars, mixed case + digits + symbols — entropy ~131 bits. Beyond any physically realistic brute-force attack.

The takeaway is straightforward: 16 or more characters with all four character classes — uppercase, lowercase, digits, and symbols — provides a comfortable margin against any non-government threat model. A random password generator at those settings is what this tool produces by default.

Length vs complexity — the XKCD lesson

The XKCD comic "correct horse battery staple" made a point that resonated: a four-word passphrase like correct-horse-battery-staplehas more entropy than a short complex password like Tr0ub4dor&3, and it is far easier to remember. The comic is right — for passwords you need to memorize and type, length wins over complexity.

But that lesson does not apply here. Generated passwords are designed for a different use case: you paste them into a password manager once, never type them again, and let the manager fill them in forever. Memorability is irrelevant. In that context, a random 20-character string with all character classes is strictly better than any passphrase you could construct, because it maximizes entropy per stored character. If you need a memorable password — for a manager's master password, for instance — use a dedicated passphrase generator, not this tool.

How to use this password generator

1. Adjust the length slider. The default is 16 characters, which gives roughly 104 bits of entropy with all character classes — a solid starting point for most accounts.
2. Toggle the character class checkboxes — uppercase, lowercase, digits, and symbols. Leaving all four on is the strongest option. Disable symbols only if the target service explicitly rejects special characters.
3. Use the Exclude similar characters option if you might need to read the password aloud or type it from a screenshot. This drops characters that look alike in many fonts: 0O,1lI, etc.
4. Use the Exclude ambiguous symbols option if the password will be used in a URL query string, a shell command, or a JSON value where certain characters need escaping.
5. Click Regenerate to roll a new random password with the current settings.
6. Click Copy to place the password on your clipboard, then paste it directly into your password manager. Do not write it down, email it, or send it through any messaging app.

Example

Settings: length 16, all character classes enabled. A typical output:

G#7mPqR2$xLnW4eZ

At 16 characters drawn from an alphabet of approximately 94 printable ASCII characters, this password has about 104 bits of entropy. Here is what the same settings look like at 20 characters:

vT@3hKw!9NpYc6Rj#mQs

That is approximately 131 bits of entropy — beyond any currently conceivable brute-force attack. The strength meter in the tool will show each of these as "Very strong".

Storing passwords — use a password manager

A generated password is only as safe as where you store it. The right answer is a password manager — software that encrypts your password vault behind a single master password and fills in credentials automatically. With a manager, every account gets a unique strong password, and you memorize exactly one thing. Credential stuffing attacks — where attackers take a leaked username/password pair from one site and try it on thousands of others — are defeated entirely because no two of your passwords are the same.

Reputable options across price points and operating models:

• Bitwarden — free and open source. Cloud-synced. Available on all platforms.
• 1Password — paid subscription. Strong UI, travel mode, team features.
• KeePassXC — free, open source, offline. The vault file lives on your disk; sync is your responsibility.
• Apple iCloud Keychain — built into Apple devices. Zero additional cost if you are already in the Apple ecosystem.
• Google Password Manager — built into Chrome and Android. Convenient if you are already signed into Google.

Whatever manager you choose: do not store passwords in plaintext files, spreadsheets, or notes apps. Do not email passwords to yourself. Do not reuse passwords across sites — password reuse is the single biggest password mistake that leads to account takeover.

Privacy and security of this tool

This random password generator runs entirely in your browser. Specifically, it uses crypto.getRandomValues — the cryptographically secure random source defined by the Web Crypto API, available in every modern browser. This is not Math.random(), which is a deterministic pseudo-random number generator unsuitable for security applications. No password text is sent to any server. There is no log, no analytics on your input, no account required.

The generator also applies rejection sampling to avoid modulo bias. When drawing from an alphabet of, say, 94 characters, the naive approach of computing randomByte % 94 slightly over-represents characters at the low end of the range because 256 does not divide evenly by 94. Rejection sampling discards any drawn value that would cause this imbalance and re-rolls, ensuring every character in the chosen alphabet appears with exactly equal probability.

Frequently asked questions

Is crypto.getRandomValues actually secure?

Yes. It is the standard cryptographically-secure random source defined by the W3C Web Crypto API and is implemented by every modern browser using the operating system's entropy source (e.g., /dev/urandom on Linux, CryptGenRandom on Windows). It is explicitly designed for security-sensitive use cases. It is not Math.random(), which is a non-cryptographic pseudo-random number generator whose output is predictable and not suitable for generating passwords or keys.

What is rejection sampling and why does it matter?

When you generate a random byte (0–255) and need to select from an alphabet of 70 characters, the simplest approach is byte % 70. The problem: 256 divided by 70 leaves a remainder of 46, so values 0–45 map to characters that appear one extra time in the cycle compared to characters 46–69. The bias is small but real. Rejection sampling fixes this by discarding any drawn byte that falls in the biased tail and re-drawing. The resulting distribution is perfectly uniform. This generator applies rejection sampling for every character position.

How many bits of entropy do I actually need?

For most consumer accounts — streaming services, e-commerce, forums — 80 bits is a comfortable floor assuming the password is hashed with a modern algorithm on the server side. For high-value accounts like banking, primary email, and your password manager, aim for 100+ bits. The 16-char default in this tool with all character classes produces approximately 104 bits, which covers every realistic consumer threat model. The strength meter in the tool maps these ranges to Weak, Fair, Strong, and Very strong tiers.

Should I use a generated password for my password manager's master password?

No. The master password is the one password you must memorize and type without assistance. A random character string is hard to memorize reliably, which creates a recovery problem: if you forget it, you lose your entire vault. For the master password, use a long passphrase — five or more random words from a large word list, following the Diceware method. That approach yields approximately 65–90 bits of entropy depending on word list size, is far easier to memorize than a random character string, and is strong enough to withstand offline attacks. Reserve the character-based random password generator for everything stored inside the vault.

Can I generate a pronounceable password?

Not with this tool. This generator produces random characters, which are not designed to be pronounceable or memorable. Pronounceable password generators create sequences using alternating consonants and vowels, which trades some entropy for readability. That trade-off is worthwhile if you need to read the password aloud or type it frequently without copy-paste access, but for anything stored in a manager the entropy loss is not justified.

Why does the password reset when I toggle a checkbox but not when I move the length slider?

Toggling a character class changes the alphabet. The previous password was drawn from a different character set, so displaying it alongside the new settings would be misleading — it would appear to represent strength it does not actually have under the new configuration. Changing the length, however, does not invalidate the current character set: the existing password is still a valid sample of the current alphabet, and the strength meter simply updates to reflect what a new password at the new length would score. Click Regenerate at any point to produce a fresh password using all current settings.

Is it safe to copy a generated password to the clipboard?

Generally yes, with two practical caveats. First, malicious browser extensions can read clipboard contents; audit your installed extensions and remove anything you do not recognize or trust. Second, some operating systems retain clipboard history — paste the password into your password manager immediately, then overwrite the clipboard by copying something innocuous. Most managers also offer auto-clear options that wipe the clipboard after a configurable interval, which is worth enabling.