Generate strong, cryptographically secure random passwords in your browser. Customize length, uppercase, lowercase, numbers, and symbols with a live strength indicator.
Password Generator is a free online tool that creates cryptographically secure random passwords using the Web Crypto API. Unlike pseudo-random generators, it uses crypto.getRandomValues() for true randomness, making the generated passwords suitable for securing accounts, databases, and sensitive systems. You can customize the password length from 4 to 128 characters and choose which character types to include: uppercase letters, lowercase letters, numbers, and symbols. A built-in strength indicator provides instant visual feedback on the security level of the generated password. The Passphrase mode generates memorable word-based passwords like "Correct-Horse-Battery-42-Staple" for easier recall with strong security.
Use the Password Generator whenever you need a strong, unique password for a new account, API key, database credential, or encryption secret. It is particularly valuable when onboarding onto new services, rotating existing passwords as part of a security hygiene practice, creating master passwords for password managers, or generating random secrets for environment variables and configuration files in software projects.
Security-conscious developers and users use Password Generator to create strong passwords for user accounts and admin panels, generate API keys and webhook secrets, produce random tokens for session management, create database passwords for staging and production environments, generate encryption passphrases, build random seed values for testing, and produce temporary access codes. The strength indicator helps ensure passwords meet minimum security requirements for enterprise and compliance standards.
Essential terms and definitions related to Password Generator.
A measure of password unpredictability expressed in bits. Calculated as: length × log₂(character set size). A 12-character password using all 95 printable ASCII characters has ~79 bits of entropy. NIST recommends minimum 80 bits for sensitive accounts. Higher entropy means exponentially more guesses needed to crack the password by brute force.
A method of cracking passwords by systematically trying every possible combination until the correct one is found. The time required grows exponentially with password length and character set size. A 6-character lowercase password (26⁶ ≈ 309 million combinations) can be cracked in seconds, while a 16-character mixed password (95¹⁶ ≈ 4.4 × 10³¹) would take billions of years.
The range of character types used in a password: lowercase (26), uppercase (26), digits (10), and symbols (33) totaling 95 printable ASCII characters. Using all four types maximizes entropy per character. Some standards also allow extended Unicode characters, further increasing the set size.
The strength indicator evaluates password entropy based on length and character set diversity. A password using uppercase, lowercase, numbers, and symbols with 16+ characters is rated as strong. Shorter passwords or those using fewer character types receive lower ratings.
Yes. The generator uses the Web Crypto API (crypto.getRandomValues), which provides cryptographically secure random numbers sourced from operating system entropy. This is the same randomness source used for encryption keys and security tokens.
We recommend a minimum of 12 characters using all character types (uppercase, lowercase, numbers, and symbols). For high-security accounts like banking or email, use 16 or more characters. Longer passwords are exponentially harder to crack.
The tool provides character type toggles for uppercase, lowercase, numbers, and symbols. While there is no specific ambiguous character exclusion, you can regenerate until you get a password without confusing characters, or manually swap them.
Common errors developers encounter and how to resolve them.
Password appears "strong" but has low entropy: Entropy calculation Password strength is measured by entropy: E = L × log2(R), where L = length and R = character set size. An 8-character lowercase-only password: 8 × log2(26) ≈ 37.6 bits (weak). A 16-character mixed password (a-z, A-Z, 0-9, symbols): 16 × log2(95) ≈ 105 bits (strong). NIST SP 800-63B recommends a minimum of 80 bits of entropy. This tool's strength indicator evaluates character diversity and length together to provide a reliable strength estimate.
Generated password rejected: Site-specific character restrictions Some websites and applications reject certain special characters (' " < > \ ; | etc.) in password fields or enforce a maximum length limit. This can itself be a sign of a security weakness (relying on character restriction instead of input sanitization for SQL injection defense). Solution: use the character options above in this tool to try different combinations and determine the character set accepted by the target site.
Math.random() vs crypto.getRandomValues(): PRNG security difference Math.random() produces pseudo-random numbers with predictable output — it should never be used for password generation. crypto.getRandomValues() (CSPRNG) sources entropy from the operating system (/dev/urandom or CryptGenRandom) and provides cryptographically secure randomness. This tool uses CSPRNG to ensure real security. When generating passwords or tokens in your own applications, always use the crypto.getRandomValues() API.