Random Password Generator

Generate cryptographically secure passwords and passphrases instantly in your browser. Nothing is ever sent to any server.

Character types
6

How this tool works

This password generator runs entirely in your browser using the Web Crypto API (crypto.getRandomValues()), which produces cryptographically secure random numbers. No passwords, options, or any other data are ever transmitted to a server.

Password mode

You choose a length and which character types to include. The generator builds a pool of valid characters, then picks from that pool using rejection sampling — a technique that eliminates modulo bias, ensuring every character has an exactly equal probability of being chosen.

To guarantee the result actually contains at least one of each type you selected, the tool picks one character from each required set first, fills the remainder randomly from the full pool, then shuffles everything using the same cryptographic random source.

Passphrase mode

Passphrases string together random words from a built-in list of 512 common English words. Each word contributes exactly 9 bits of entropy (log₂ of 512). A 7-word passphrase reaches 63 bits — stronger than most 10-character random passwords, and far easier to type from memory.

Choosing the "random digit" separator inserts a unique digit between each word, adding approximately 3.3 extra bits per separator, pushing a 6-word passphrase above 70 bits total.

Entropy estimate: The displayed bit value represents the theoretical search space an attacker must cover if they know exactly which tool, wordlist, and settings you used. Real-world security is higher if those details are unknown.

Password security best practices

A strong generated password is only the first step. How you manage and use passwords matters just as much as how strong they are.

Do

  • Use a unique password for every account
  • Store passwords in a reputable password manager (Bitwarden, 1Password, KeePass)
  • Enable two-factor authentication (2FA) on every account that supports it
  • Use 20+ characters for high-value accounts (email, banking, cloud storage)
  • Use a long passphrase for any password you must memorize
  • Check if your accounts appear in known data breaches (Have I Been Pwned)

Avoid

  • Reusing passwords across sites — one breach exposes everything
  • Using personal information (birthdays, names, pet names)
  • Storing passwords in plaintext files, notes apps, or spreadsheets
  • Emailing passwords to yourself or others
  • Using dictionary words alone without numbers and symbols
  • Sharing passwords through unencrypted channels

Why length matters more than complexity

An 8-character password using all character types has roughly 52 bits of entropy. A 16-character password using only lowercase letters has 75 bits. The longer password is dramatically harder to crack even though it uses fewer character types. Prioritise length first, then add complexity if the site permits it.

Modern GPUs can attempt billions of password guesses per second against offline hashes. Only entropy — the sheer size of the search space — provides reliable protection.

Frequently asked questions

Is this password generator secure?

Yes. All generation uses crypto.getRandomValues(), the browser's cryptographically secure random number generator — the same source used in TLS and other security-critical systems. This is significantly stronger than Math.random(), which is not suitable for security use.

The tool uses rejection sampling (not simple modulo) to ensure each character is chosen with exactly equal probability, eliminating statistical bias.

Does this tool send my passwords anywhere?

No. Generation happens entirely in your browser tab using JavaScript. Your passwords are never transmitted to any server, never appear in network requests, and are not stored in cookies, localStorage, or any other persistent storage. You can verify this by opening your browser's Network tab in developer tools while generating a password — you will see no outgoing requests.

What password length should I use?

For general accounts stored in a password manager: 16–20 characters with all character types is excellent. For critical accounts (your primary email, password manager master password, banking): 20+ characters, or use a 7–8 word passphrase you can memorise.

Length is the single most important factor. Each additional character multiplies the search space by the charset size — adding one character to a 95-char-pool password is 95× harder to crack.

Are passphrases more secure than passwords?

Passphrases can match or exceed the security of random character passwords while being much easier to type and remember. A 7-word passphrase from this tool has ~63 bits of entropy — stronger than an 8-character fully-random password (~52 bits) and close to a 12-character random password (~79 bits).

For accounts where you must type the password frequently (laptop login, phone PIN, password manager master), a passphrase is often the better choice. For everything stored in a password manager, a 20-character random password is slightly more compact.

What does "entropy" mean in this context?

Entropy (measured in bits) represents how many possible passwords exist with the same settings. A 1-bit increase doubles the number of possibilities. At 64 bits, there are over 18 quintillion possible passwords — even at one billion guesses per second, brute-forcing would take tens of thousands of years.

The displayed entropy assumes an attacker knows every setting you used (length, charset, wordlist). If those details are unknown, the real security margin is higher. Treat the number as a conservative lower bound.

What are ambiguous characters, and should I exclude them?

Ambiguous characters are letters and numbers that look nearly identical in some fonts: 0 and O, 1 and l and I, B and 8, S and 5.

If you will never type the password manually (you copy-paste it from a password manager), leave this unchecked — keeping them in gives you a slightly larger charset and marginally higher entropy. If you ever type the password by hand or read it off a screen, excluding ambiguous characters prevents transcription errors.

What is the best way to store generated passwords?

Use a reputable password manager. Strong options include Bitwarden (open-source, free tier), 1Password, and KeePass (offline, open-source). Password managers encrypt your vault locally before syncing, meaning even the provider cannot access your passwords.

Never store passwords in a plain text file, a note app without encryption, a browser bookmark, or in your email.

Subnet Calculator
Calculate network ranges, CIDR notation, and broadcast addresses.
Email Record Validator
Check SPF, DKIM, and DMARC records for any domain.
DNS Propagation Checker
See how DNS changes are propagating around the world.
IP Reputation Checker
Check if an IP address is listed on abuse or spam blacklists.