Strong passwords,
generated locally.
Random passwords or memorable passphrases — your choice. Cryptographically secure, generated entirely in your browser, never sent to a server.
Advanced
History is kept only on this device, in localStorage. Clearing it here also clears it from your browser.
About this generator
The best thing you can do for security online is stop reusing passwords. The second best is to make the new ones long enough that nobody — including the breach archive of every site you'll sign up for — can crack them. This tool handles both in one click.
Most "secure" password tools leak you the moment they load: bytes pulled from a server, the password sent through analytics, sometimes everything ever produced quietly logged. This one is different on purpose. Generation runs in-browser with crypto.getRandomValues and rejection sampling — uniform across the chosen alphabet, with zero network calls at the moment you press Generate. Verify it: open DevTools, watch the network tab.
Two modes, both useful. Random is what password managers want — dense, high-entropy strings you'll never type. Passphrase is what humans want — four to six random English words you can actually remember and type on a phone. A 20-character mixed random is around 130 bits; a six-word passphrase is around 77. Both clear the threshold where brute-force stops being the threat.
The entropy meter is honest. It computes length × log2(alphabet) for random and words × log2(2048) for passphrase, and calls anything under 60 bits "weak." Sites that demand a special character plus a digit are trying to manufacture entropy that length should already provide — use 20+ characters and ignore the picky rules where you can. Where you can't, drop the length, untick symbols, trust the math. If you need a different shape — a handle, a single word — try the Username Generator or Word Generator.
What people use it for
Real situations where a fresh strong password beats whatever you'd type by hand.
Signup forms
New service, new account, new password — never a variant of the last one. Generate, paste into your manager, save. Nine seconds.
Wi-Fi keys
Passphrase mode is the right shape for a network password: four hyphenated words guests can read off the fridge and type without misery.
Document encryption
PDF, ZIP, archive — pick a 24-character random, encrypt, send the password over a separate channel. Channel metadata is the weak link, not the password.
IT onboarding
Bulk-generate temporary passwords for new hires. Length 16, mixed-class, no ambiguous chars since they'll be retyped from a printed sheet.
Reused passwords
Your manager just said "Reused on 14 sites." Open a tab and burn through the list. Each generation is independent — none know about the others.
Master passwords
The one password you'll memorize. Passphrase mode, six words, written on paper for a week. After that your fingers will know it.
How it works
Random mode
We assemble an alphabet from your enabled classes, optionally subtracting 0O1lI. For each position we draw a 32-bit integer from crypto.getRandomValues and reject draws above floor(2³²/N) × N, mapping into [0,N) without modulo bias. If "require one of each class" is on, we re-roll until the result satisfies it.
Passphrase mode
A 2,048-word list (EFF-style short — pronounceable, 4 to 7 letters), N words picked by the same rejection-sampled method, joined with your separator. Each word contributes log2(2048) = 11 bits, so a six-word phrase clears 77 bits even fully lowercase.
State & storage
Settings — length, classes, mode, separator — live in the URL query string and rehydrate on load. The generated password is never in the URL. Recent passwords live in localStorage on this device only, capped at 10. We never see them.
Common questions
Are these passwords actually random?
Yes. We use crypto.getRandomValues with rejection sampling — the same cryptographically secure source your browser uses for HTTPS keys. No Math.random anywhere, no bias across the chosen alphabet.
Does my password ever get sent to a server?
Never. Generation runs entirely in your browser. Open DevTools, watch the network tab — nothing leaves the page when you click Generate. Your password is never logged, stored on our servers, or seen by us.
Should I use a random password or a passphrase?
Random for password-manager use — denser per character. Passphrase for things you'll type from memory: a master password, a Wi-Fi key, a guest-room laptop. Both clear the threshold where brute-force matters.
What is entropy and how many bits do I need?
Entropy is the size of the search space, in bits. Each bit doubles the work an attacker has to do. 80 bits is comfortable, 100+ is strong, 128+ is overkill except for crypto keys. A 16-character mixed-class password is around 95 bits; a six-word passphrase is around 77.
Why exclude ambiguous characters?
Because reading 0 vs O or 1 vs l vs I from a printed page or kiosk is miserable. The toggle drops those five. You lose a sliver of entropy per character; add two characters of length and you're net ahead.
Can I share or save the password via URL?
Settings save in the URL — length, character classes, mode, separator — but the password itself never goes in the URL. That would defeat the point. Bookmark the URL to lock in preferences; click Generate for a fresh password.
What if a site has a max length or banned characters?
Drop the length slider and toggle off symbols. Some banks still cap at 16 alphanumeric — annoying, but workable. 95 bits is fine for an account that locks after five wrong tries.
Related generators
Same neighborhood — different question.