Secure Password Generator
Generate strong, secure passwords instantly. Customizable length and character sets.
A password generator that uses the browser's Web Crypto API (crypto.getRandomValues) for cryptographically strong randomness — not Math.random, which is predictable. Choose the length, include or exclude symbol sets, and optionally avoid ambiguous characters like 0/O and 1/l that trip people up when typing. Passwords are generated in memory, shown once, and never leave your device.
Most password leaks happen because of weak or reused passwords. A strong password is long, random, and unique per site. Length matters more than complexity: a 20-character lowercase passphrase is harder to brute-force than an 8-character mix of everything. This generator defaults to 16 characters, which is enough entropy to resist any realistic offline attack today.
Randomness comes from crypto.getRandomValues, which draws from the operating system's secure random pool — the same source used for cryptographic keys. This matters because Math.random is deterministic and predictable given enough samples, making it unsuitable for passwords. The tool also lets you exclude visually-ambiguous characters (0, O, l, 1, I) for situations where you'll type the password by hand from a printout.
For anything you'll actually use, store the generated password in a password manager (Bitwarden, 1Password, KeePass). This tool doesn't store anything — once you close the tab, the password is gone.
- 1
Choose your length
Pick a length between 8 and 128 characters. For online accounts, 16–20 is a sensible default. For high-value accounts or master passwords, go longer.
- 2
Select character sets
Toggle uppercase, lowercase, numbers, and symbols. More sets means more entropy per character. Some sites reject certain symbols — disable them if needed.
- 3
Exclude ambiguous characters (optional)
Hide characters that look alike in most fonts (0/O, 1/l/I). Useful if the password will be typed from a piece of paper.
- 4
Copy and save
Copy the password to your clipboard and paste it immediately into your password manager. Don't screenshot, don't email, don't store it in plain text.
New account creation
Generate a unique password for every new account and save it to a password manager immediately.
Rotating leaked passwords
When a breach notification arrives, replace the compromised password with a freshly generated one.
API keys and service accounts
Use the alphanumeric-only mode to create machine-readable credentials for services that reject special characters.
Wi-Fi and router passwords
Long random passwords for devices that rarely need re-entry — the hassle of typing it once is worth the security.
Is the password I generated stored anywhere?
No. The password exists only in your browser's memory and is discarded when you close the tab or navigate away. It's never sent over the network, never logged, and never saved in local storage.
How strong is a 16-character password?
With all character sets enabled (94 printable ASCII), a 16-character random password has about 104 bits of entropy. That's enough to resist offline brute-force attacks even on dedicated hardware for decades. For a master password, aim for 20+ characters.
Why not just use Math.random?
Math.random is not cryptographically secure. Its output can be predicted after observing enough samples, and different browsers implement it differently. Web Crypto's getRandomValues draws from the operating system's secure random pool.
Should I memorize these passwords?
No — you can't realistically memorize a unique 16-character random string per site. Use a password manager to store them, and memorize only your master password (which should be a long passphrase).
Why does this generator exclude certain symbols?
Some sites reject specific symbols (quotes, backslashes, angle brackets) because of bad input-handling on their end. The generator lets you toggle symbols off entirely or use a conservative subset to avoid these edge cases.