🔐

Password Generator

Generate cryptographically secure random passwords with custom length and character sets. Bulk generation supported. Nothing is sent to any server.

Generated Password
Click Generate to create a password
Options
Length: 16 characters
16
Character Sets
Bulk Generator
Generate passwords

About the Password Generator

This password generator uses the browser's built-in crypto.getRandomValues() API for all generation. This is a cryptographically secure random number generator suitable for security-sensitive applications, unlike Math.random() which is not cryptographically secure and should never be used for passwords or tokens.

You can control password length from 4 to 128 characters and choose which character sets to include. The Exclude Ambiguous option removes characters that look similar in certain fonts (0, O, l, 1, I), which is useful when passwords need to be typed from a screen or read aloud. The strength meter gives a real-time indication of password quality based on length and character set diversity. Nothing is transmitted to any server at any point.

Password Security Guidelines

  • 📏
    Use at least 16 characters. Length is the single most important factor in password strength. A 16-character random password is far stronger than a 10-character password with complex rules.
  • 🎲
    Use all four character types. Uppercase, lowercase, numbers and symbols together give the largest possible character space, making brute-force attacks computationally infeasible.
  • 🔑
    Use a different password for every account. A password manager is the only practical way to do this. Generate a unique 20+ character password for each service and store it in a manager like Bitwarden or 1Password.
  • 🏢
    For service accounts and APIs. Use 32+ character passwords with all character types. Service accounts are high-value targets and rarely need to be typed manually.

Frequently Asked Questions

Is crypto.getRandomValues truly secure?
Yes. crypto.getRandomValues() uses the operating system's cryptographically secure pseudorandom number generator (CSPRNG), the same source used by security libraries and password managers. It is suitable for generating passwords, tokens, keys and other security-sensitive values.
Are my generated passwords stored anywhere?
No. Everything runs in your browser. The generated passwords are never transmitted to any server, logged, or stored anywhere. Close the tab and they are gone.
How long should an IT service account password be?
For service accounts, API keys and privileged accounts, 24 to 32 characters is a reasonable minimum. These passwords are stored in a vault and never typed manually, so longer is always better. Enable all character sets unless the target system has specific restrictions.
What does the Exclude Ambiguous option do?
It removes characters that look similar in many fonts: the number zero (0) and letter O, the lowercase L (l) and number one (1) and capital I. Use this when the password will be typed from a printed sheet or read from a screen, reducing transcription errors.

Password Use and Storage Notes

Strong passwords should be unique for every account and stored in a trusted password manager. Longer passphrases are usually easier to type and remember, while fully random strings are better for accounts and systems where a password manager can autofill them.

Do not reuse generated passwords across services. For business systems, follow the organisation's password policy, multi-factor authentication requirements and credential-sharing rules.