Password Generator
Generate secure, random passwords with customizable options.
About this tool
Produce strong passwords using the browser's cryptographically secure random generator (crypto.getRandomValues), not the weak Math.random fallback many ad-hoc generators still rely on. Dial in the length (16+ recommended for anything sensitive), toggle lowercase, uppercase, digits, and symbols, and generate one or a batch of passwords to rotate across several accounts at once. Every password is generated locally; we never see it, we don't log it, we don't transmit it — which matters because password managers are the only safe place for a new credential to land, and a browser tab is a brief stop on the way. Useful when you're creating a new service account, rotating a leaked credential, seeding a dev environment, or handing a fresh password to a teammate through your team's secret-sharing tool.
Variants
Strong Password
Generate long random passwords using the browser's cryptographically secure random source. 16–64 characters with mixed case, digits, and symbols.
Memorable Passphrase
Generate easy-to-remember 4–8 word passphrases joined by hyphens. Diceware-inspired, crypto-random word selection, strong against brute-force.
Random PIN
Generate random numeric PINs for phone locks, 2FA backup codes, safes, and debit cards. Crypto-random digit selection with rejection sampling.
Features
- Generate cryptographically secure random passwords
- Customize password length and character types
- Include uppercase, lowercase, numbers, and symbols
- Generate multiple passwords at once
How to Use
- Set your desired password length using the slider
- Toggle character types (uppercase, lowercase, numbers, symbols)
- Click "Generate" to create secure passwords
- Click any password to copy it to your clipboard
Frequently Asked Questions
Are the passwords really generated in my browser?
Yes. The generator calls window.crypto.getRandomValues, which pulls entropy from the operating system's CSPRNG. No password is sent to a server, logged, or even stored in localStorage — reload the page and every value is gone.
How long should my password be?
16 characters with mixed case, digits, and symbols is a sensible floor for web services. 20+ is reasonable for anything important (bank, email, password-manager master). Length matters more than symbol variety — a 20-character lowercase passphrase beats a 10-character "h@Xx0r!" pattern.
Can I trust a random-looking password more than a passphrase?
Only if you use a password manager. Humans can't remember Jf$7k!9pQz… which means it ends up written on a sticky note. For accounts you must type manually, a four- or five-word diceware passphrase is both memorable and brute-force-resistant.
Should I reuse the same generator settings for every site?
It's fine — what matters is that each site gets a unique password, not that each site uses a different character set. Pick one comfortable setting (e.g., 20 chars with symbols) and generate a fresh password per service, then store them all in a password manager.
Are symbols required to make a password strong?
No — length dominates. A 20-character lowercase passphrase has more entropy than a 10-character password with symbols, and it's vastly easier to type on mobile. Symbols mostly help when a site caps length at 12–16 chars; otherwise, add characters, not punctuation.
What do I do if a site rejects a symbol the generator produced?
Regenerate without symbols (toggle the symbols option off), or turn off the one specific character class the site bans. Legacy banking sites often forbid <>&. Keep the length as long as they'll allow — 16 plus mixed case and digits is usually enough to pass.