Password Generator
Generate strong random passwords online for free. Customize length and characters.
Advertisement
Click Generate →
Advertisement
How to Use This Tool
Set Password Length
Drag the length slider to choose between 4 and 64 characters. We recommend at least 16 for strong security.
Choose Character Types
Toggle uppercase letters, lowercase letters, numbers, and special symbols. Using all four types creates the strongest passwords.
Generate & Copy
Click Generate Password and then click the copy icon to copy it to your clipboard instantly.
Advertisement
Related Tools
Frequently Asked Questions
How secure is this password generator?
What makes a strong password?
How many passwords can I generate?
Should I use the same password for multiple sites?
About Password Generator
You just got paged because a shared service account credential leaked into a public Sentry trace, and you need 40 fresh credentials rotated before the on-call handoff at 6 AM. Or maybe you are spinning up a new Postgres role, a Redis ACL user, and three Kubernetes secrets for a preview environment and you want each one to have independent entropy rather than the same base64-padded garbage reused across your infra. This generator uses the browser's crypto.getRandomValues primitive (the same CSPRNG your browser uses for TLS session keys), shuffles with Fisher-Yates over a 32-bit random pool, and gives you length 4 to 64, passphrase mode with a 96-word dictionary, and an ambiguous-character toggle so nobody misreads 1/l/I when reading the credential over Zoom. A strength meter and GPU crack-time estimate (at 1 trillion guesses per second) tell you whether the string you just built is actually as strong as it looks.
How it works
- 1
Entropy sourced from the Web Crypto API
We call crypto.getRandomValues on a Uint32Array sized to your password length plus your character set count. That primitive pulls from the OS CSPRNG (getrandom on Linux, BCryptGenRandom on Windows). No Math.random, no predictable seeds, no server round trip.
- 2
Guaranteed inclusion from every selected class
If you enable uppercase, lowercase, numbers, and symbols, the first four positions are seeded from each class separately before the rest of the string is drawn from the combined pool. A Fisher-Yates shuffle then redistributes them so the classes do not cluster at the start.
- 3
Strength scored against a GPU attacker
The crack-time label assumes 1e12 guesses per second (roughly a 2024 RTX 4090 cluster brute-forcing a fast hash like MD5). For slow hashes like bcrypt at cost 12 the real crack time is orders of magnitude longer, so treat the estimate as a floor not a ceiling.
Pro tips
Symbols break more things than you think
Before generating a password destined for a shell script, env file, or SQL statement, disable symbols or at least exclude quotes, backticks, dollar signs, and backslashes. A password containing $VAR will silently expand inside double-quoted Bash strings, and a backtick will execute a subshell. Length 24 with only alphanumerics gives you 143 bits of entropy, still vastly stronger than any reasonable threat model demands.
Passphrases beat random strings for recovery codes
For credentials a human has to type on a phone keyboard (TV app logins, SSH keys on a bastion, 1Password master), switch to passphrase mode. Six words from a 7776-word diceware list gives 77 bits of entropy, equivalent to a 13-character random password, but you can actually remember and transcribe it without errors. Our 96-word list is shorter than diceware but fine for 8+ word phrases.
Pair generation with a clipboard timeout
Browsers do not clear clipboard automatically. If you generate a password here and then walk away, any site or extension that reads navigator.clipboard can pick it up. Paste it into your password manager within 30 seconds, then copy something innocuous (a blank space) to overwrite. Better yet, drag the generated password directly into the manager's input without the clipboard touching it at all.
Honest limitations
- · No password history — each generation is stateless, so if you close the tab before copying you cannot recover it.
- · Passphrase dictionary is only 96 words (roughly 6.6 bits per word); for true diceware-strength phrases combine 10+ words or use a dedicated diceware tool.
- · Strength estimator assumes offline attack against a fast hash; real-world service rate-limiting usually makes even 12-character passwords effectively unbreakable.
Frequently asked questions
Is crypto.getRandomValues actually secure enough for production secrets?
Yes. It is the same cryptographically secure PRNG specified in the W3C Web Crypto standard and backed by the operating system entropy pool — getrandom(2) on Linux, BCryptGenRandom on Windows, SecRandomCopyBytes on macOS. NIST SP 800-90A compliant drivers feed those primitives. The same API is used by libraries like @noble/hashes and tweetnacl-js for key generation. For passwords, the only way to do better is to use a hardware security module, and HSM key generation is overkill for anything short of root CA certificates.
Should I turn off the ambiguous-character filter?
Depends on how the password will be consumed. If a human will type it from a printed page or screenshot — field tech reading a Wi-Fi password, support engineer reciting it over the phone — keep ambiguous characters excluded so 0 and O, 1 and l and I cannot be confused. For machine-only secrets pasted directly into config files or password managers, leave it off; excluding five characters reduces the pool from 94 to 89 printable ASCII and costs you less than 0.1 bits per character, but removes any reason for a future teammate to mistype it.
Why does an 8-character password show as 'weak' even with symbols?
Because modern GPU clusters benchmark over 100 billion MD5 or NTLM guesses per second per GPU. A password of length 8 drawn from the full 94-character printable ASCII set has around 6 x 10^15 combinations, which falls to a single high-end GPU in roughly 16 hours. Our meter caps 'strong' at 16 characters with mixed classes because that is where offline attack time crosses the century mark even against fast hashes. For services using bcrypt or argon2 you can get away with less, but assume the worst-case hash.
Can I generate multiple passwords at once for a batch rotation?
The interface generates one at a time, but the generation itself is effectively free — clicking regenerate gives you a new password in under a millisecond because crypto.getRandomValues is a syscall away from the entropy pool. For batch rotations across 50+ secrets, script it instead: the same one-liner works in Node, Deno, or browser devtools — Array.from(crypto.getRandomValues(new Uint32Array(50))).map(n => n.toString(36).slice(-12)) gives you fifty alphanumeric passwords that you can pipe into a vault import file.
Are any passwords logged or cached anywhere?
No. Generation happens entirely inside the JavaScript VM tab you are looking at. There is no fetch call, no websocket, no telemetry beyond standard page analytics (which never sees DOM contents). The generated string exists in memory only until you navigate away or close the tab, at which point the V8 garbage collector reclaims it. We do not store it in localStorage, sessionStorage, IndexedDB, or a service worker cache. Browser devtools memory snapshots will show strings residually until GC, which is a browser limitation not a tool limitation.
If you are generating credentials you almost always end up needing to encode or sign them next. The base64-encoder tool is how you turn a random byte string into a safe HTTP header or JWT secret value, and the jwt-decoder lets you verify that a token signed with your fresh HMAC secret actually carries the claims you expect. For secret regex patterns in log scrubbing, the regex-tester is the fastest way to validate that your redaction pattern catches the new password format before you push it to production.
Advertisement