About this tool
A password generator that runs entirely in your browser. Pick a length, choose which character types to include, and a strong random password appears instantly. Copy it, regenerate it, or change the options to tune the output. Nothing is sent anywhere — no network requests, no analytics, no telemetry.
It's free and there's no signup. The whole tool is about thirty kilobytes of HTML, CSS, and JavaScript; you can view the source from your browser if you want to verify exactly what it does.
Use it once when you need a strong password for a new account, or keep the tab open while you set up a password manager and need fifty in a row. Either way, your passwords stay between you and your screen.
How it works — and why it's safe
Three things matter for a password generator: the randomness has to be cryptographically strong, the selection has to be free of statistical bias, and the output has to never leave the device.
Randomness comes from crypto.getRandomValues, the browser's built-in cryptographically secure random number generator. This is the same primitive that protects HTTPS handshakes and authentication tokens — not Math.random, which is fast but predictable enough to be exploited.
Bias gets handled with rejection sampling. Naïvely picking a character with randomBytes % poolSize skews the result toward the lower characters when the pool size doesn't divide cleanly into 232. This generator throws out values from the un-representable tail and re-rolls instead, so every character in the pool has exactly the same probability.
The final string is then shuffled with Fisher–Yates — also using the secure RNG — so the order of guaranteed character types doesn't leak structural information.
There's no server. Open the network tab in your browser's developer tools while you generate — nothing is sent, nothing is fetched, nothing is logged. The tool works offline if you've loaded it once.
Choosing a strong password
Length matters more than complexity. A 16-character random password with only lowercase letters has more entropy than an 8-character password using every symbol on the keyboard. Pick the longest length the service will accept — most modern systems allow at least 64.
Don't reuse passwords. Reuse is how a leak from one site (and there are always leaks somewhere) becomes a compromise of everything else you own. The realistic way to avoid reuse is a password manager — Bitwarden, 1Password, KeePassXC, the iCloud Keychain, anything where you only have to remember one strong password. This generator is designed to feed a manager.
If you must memorize a password — the master password for your password manager, or a device unlock — a passphrase is usually a better choice than a random string. Four to six unrelated words separated by spaces or dashes gets you both strong entropy and something you can actually recall a week from now. This tool doesn't generate passphrases (yet); see Diceware or your password manager's built-in passphrase mode.
A few specifics worth remembering:
- Letters and numbers only is fine if the length is enough; symbols are most useful when a service caps the length at 12 or 14.
- "Strong" in a strength meter usually means "long enough to be expensive to brute-force." Most meters, including the one above, are heuristics — they don't catch leaked-password lookups. Treat them as a floor, not a ceiling.
- Once a password is leaked, it's permanently weak no matter how strong it looked. Rotate compromised passwords; check yours at Have I Been Pwned.
Frequently asked questions
Is this safe to use?
Yes. The generator runs entirely in your browser using the browser's built-in cryptographically secure random number generator. Nothing is sent to a server, stored, or logged.
Why does the password change when I move the slider or toggle an option?
The generator regenerates automatically whenever you change any setting. If you want a fresh password without changing settings, use the Generate button.
Should I use this password for everything?
No — never reuse passwords. Use this tool to generate a unique password for each account, and store them in a password manager so you don't have to remember each one.
What's the difference between a random password and a passphrase?
A random password is a string of characters with no meaning (like 8j#Kq2!nP@wL$5e9). A passphrase is a sequence of common words (like correct-horse-battery-staple). Passphrases are usually easier to remember and type, and can be just as strong as random passwords if they're long enough — typically four or more random words.
Can I generate a password shorter than 8 characters?
No. Passwords under 8 characters are too weak to be useful in most modern contexts and the tool deliberately doesn't offer that option. If a service requires a 4-digit PIN, you don't need a generator for that — pick anything that isn't your birthday.
What characters are in the Symbols set?
The symbols set is ! @ # $ % ^ & * ( ) _ + - = [ ] { } | ; : , . < > ?. Some services restrict which symbols they accept; if a generated password is rejected, regenerate with Symbols turned off and rely on length and the other character types instead.
Is the source code available?
The generator's logic is a small vanilla JavaScript file you can view by opening this page's source in your browser. Nothing is obfuscated.