Skip to content
1001 Tools
sr
Generators

Password Generator

Pick a length, choose which character types to include, and get a password built from your browser’s cryptographic random number generator. The password is created on your device and never sent anywhere — you can even load this page and disconnect from the internet first.

How it works

The generator uses the Web Crypto API, the same source of randomness browsers use for encryption. Each character is drawn uniformly from the combined pool of the sets you selected, using rejection sampling to avoid the subtle bias that naive random-number tricks introduce.

One character from every selected set is always guaranteed, so a “letters + digits + symbols” password never accidentally comes out as letters only — a common reason sites reject generated passwords.

The strength label is based on entropy: the number of possible passwords, expressed in bits. Each added character multiplies the search space, which is why length beats complexity — a 20-character lowercase password is far stronger than an 8-character one full of symbols.

Practical examples

A master password for a password manager

Set length to 20+ with all character types. At roughly 130 bits of entropy, this is beyond any realistic brute-force attack, and it is the single password actually worth memorizing.

A Wi-Fi password guests can type

Turn off symbols and generate 16 characters of letters and digits. Still around 95 bits — extremely strong — but far easier to type on a phone or TV remote.

A site that limits passwords to 12 characters

Set the slider to 12 and keep all sets on. Some older sites cap length; with all four character types you still get about 78 bits, which is adequate for an account protected by rate limiting.

A PIN-style numeric code

Keep only digits on and choose the length. Note the strength meter drops sharply — a 6-digit code has under 20 bits of entropy, fine for a phone lock with retry limits, useless as an online password.

Frequently asked questions

Is it safe to generate a password on a website?

On this one, yes — generation runs entirely in your browser using JavaScript, with no network requests involved. You can verify by opening your browser’s developer tools network tab, or by loading the page and switching to airplane mode before generating.

What makes a password strong?

Length, mostly. Every added character multiplies the number of combinations an attacker must try. A random 16-character password from a 90-character pool has about 104 bits of entropy — even at a trillion guesses per second, cracking it would take longer than the age of the universe.

What is entropy and why is it shown in bits?

Entropy measures how many possible passwords your settings can produce: n bits means 2ⁿ possibilities. 40 bits is crackable, 60 bits resists casual attacks, and 80+ bits is considered strong against offline cracking of properly hashed passwords.

Why does the password always include a digit when I enable digits?

The generator guarantees at least one character from each set you select. Without that guarantee, roughly 1 in 6 sixteen-character passwords with digits enabled would contain none, and sites that require a digit would reject them.

Should I use symbols?

They help, but less than people think — going from letters+digits to letters+digits+symbols adds about 0.4 bits per character. Adding two characters of length helps more than adding symbols. Use symbols when the site requires them; prefer length otherwise.

How random is “cryptographically random”?

The Web Crypto API draws from your operating system’s entropy source — the same one used for TLS keys. Unlike Math.random(), it is designed to be unpredictable even to someone who has observed previous outputs.

Can I get the same password twice?

In theory; in practice, never. For a 16-character password with all sets enabled there are around 10³¹ possibilities. Generating a duplicate is vastly less likely than winning a lottery jackpot multiple times in a row.

How should I store the passwords I generate?

In a password manager (Bitwarden, 1Password, KeePassXC, or the one built into your browser). Never reuse a password across sites — the point of a generator is a unique password per account, remembered by software instead of you.

Why not use a memorable passphrase instead?

Passphrases like “correct horse battery staple” are a great choice for passwords you must type from memory. For everything stored in a password manager, random strings are shorter at equal strength. Use a passphrase for the manager itself, random passwords inside it.

Which symbols does the generator use?

!@#$%^&*()-_=+[]{};:,.? — a set widely accepted by websites. Quotes, backslashes and spaces are deliberately excluded because some systems mishandle them in forms or config files.

Related tools