Password Generator.
Generate cryptographically strong, random passwords using your browser's built-in secure RNG. Nothing is sent to any server — all generation is local.
Security Information
Cryptographically Secure
Passwords are generated using crypto.getRandomValues() — the same
API browsers use for TLS. True randomness, not predictable pseudo-randomness.
100% Local
Nothing is ever sent over the network. All generation runs in your browser. Disconnect from the internet and this tool still works perfectly.
Entropy Explained
Strength is measured in bits of entropy: length × log₂(charset size). A 16-char password with all sets yields ~105 bits — brute-force infeasible for decades.
No Logs or History
Passwords are never stored, logged, or remembered. Reload the page and they are gone. Pair this tool with a reputable password manager for best results.
What makes a strong password?
A strong password combines length and character variety. Using all four character sets at 16+ characters gives over 100 bits of entropy — making brute-force attacks computationally infeasible against any foreseeable hardware.
Why use a random password generator?
Humans are poor at creating randomness — we unconsciously use patterns, words, and dates that attackers exploit. A cryptographic RNG eliminates all bias, producing passwords with maximum entropy for the given length and character set.
Should I use a password manager?
Yes. Use a reputable password manager (Bitwarden, 1Password, etc.) to store a unique, random password for every site. Generate a strong password here, copy it directly into your password manager, and never reuse it.
How often should I change passwords?
NIST SP 800-63B recommends changing passwords only when there is evidence of compromise, not on a fixed schedule. A long, unique, randomly generated password is far more effective than frequent rotation of weak passwords.
Frequently Asked Questions
- How secure are the generated passwords?
- All passwords use
window.crypto.getRandomValues()— cryptographically strong randomness from your OS entropy pool. This is the same source used for TLS key generation, not the weakMath.random(). - Are passwords stored or logged anywhere?
- No. Passwords are generated in your browser and never sent to any server. Close the tab and they are gone — there is no record of what was generated.
- What is the recommended password length?
- At least 16 characters for standard accounts; 20+ for high-value accounts like email and banking. Store generated passwords in a password manager so you never need to remember them.
- How often should I change passwords?
- NIST SP 800-63B recommends changing passwords only when there is evidence of compromise — not on a fixed schedule. A long, unique, randomly generated password is far more effective than frequent rotation of weak passwords.
Privacy & Security
All password generation runs in your browser using the Web Crypto API. Nothing is transmitted to any server. Disconnect from the internet and this tool still works perfectly.