Password Generator

Generate strong, random passwords in your browser. Choose length, character types, exclude lookalikes. Nothing is sent to any server.

Runs in your browser — nothing uploaded

Options

Length: 20 characters

How many to generate

Character types

Lowercase (a–z)Uppercase (A–Z)Digits (0–9)Symbols (!@#…)

Exclude lookalike characters (i, l, 1, o, 0…)Require at least one of each selected type

0 passwords

Pick options above and click Regenerate

Generated with crypto.getRandomValues()— the browser's cryptographic random source. Strength is estimated as log₂(pool_size) × length; values above 90 bits are widely considered strong for most threat models.

Use this free password generator to create strong, cryptographically random passwords in your browser. Configure length, character types, exclude lookalike characters, and generate up to 50 at once — each rated for strength so you know what you are using.

Private by design — your data never leaves your device

How to use it

No account, no upload — it all happens on your device.

Pick how long you want the password and how many to generate at once.

Toggle which character types to include — lowercase, uppercase, digits, symbols.

Optionally exclude lookalike characters or require at least one of each selected type.

Click Regenerate to refresh the list, then copy a single password or copy all of them.

How long should a password be?

Length is the single biggest factor in real-world resistance to attack.

The strength of a random password is measured in bits of entropy — log₂(pool size) × length. Each bit doubles the search space an attacker has to cover. The table below shows the entropy you get from common length/character-pool combinations.

Length	Character pool	Entropy	Verdict
8	Lower + digits (36)	~41 bits	Weak — crackable in hours offline
12	All 4 classes (~94)	~78 bits	Fair — fine for most accounts
16	All 4 classes (~94)	~104 bits	Strong — safe against offline attacks
20	All 4 classes (~94)	~131 bits	Very strong — recommended default
32	All 4 classes (~94)	~209 bits	Overkill, but cheap to use

Above ~90 bits a password is, in practical terms, uncrackable even if the attacker has stolen the password database and is running a top-tier GPU rig against the hashes. NIST's modern guidance (SP 800-63B) emphasises length over complexity for exactly this reason.

When to tweak the defaults

Sensible adjustments for specific situations.

Need to type the password by hand. Enable Exclude lookalike characters so you never confuse a lowercase L for the digit 1 or a zero for the letter O.
The site rejects symbols. Some legacy systems only allow letters and digits. Turn off symbols and bump the length to 24+ to recover the lost entropy.
Generating an encryption passphrase. Use 32 characters and keep every character class on. The extra entropy matters when the password protects a long-lived secret like a backup archive.
Filling out a bulk-create form. Set count to 10–50 and use Copy all — each row in your CSV or seed file gets a fresh, unique value.

Best practices for storing the result

A strong password is only useful if you can retrieve it later without storing it somewhere insecure. A few rules of thumb:

Use a password manager.1Password, Bitwarden, or your browser's built-in vault encrypt the password with a master key that lives on your device. That way you only need to remember one strong master password.
Do not paste it into Slack, email, or a notes app. Each of those is a long-lived cache the password will eventually leak from.
Rotate after a known breach. Check haveibeenpwned.com periodically. If a site you use is breached, generate a new password here and update the entry in your manager — even if your old one was 20 characters long.

Frequently asked

Is it safe to generate passwords on a website?

It is safe here because the password is created entirely in your browser using your device's cryptographic random source (crypto.getRandomValues). Nothing is sent over the network — no logs, no analytics on the generated value.

How long should my password be?

For most personal accounts, 16+ random characters across mixed character types is plenty. For anything sensitive — banking, master passwords, encryption keys — go to 20+ characters. The strength meter shown next to each password is based on entropy in bits; values above 90 bits are considered strong by current cryptographic standards.

What does 'exclude lookalike characters' do?

It removes characters that are easy to misread when typed or read aloud — i, l, 1, o, and 0. Useful when you need to dictate or write down the password. The trade-off is a slightly smaller character pool and therefore a small reduction in entropy.