Strong Password Generator
Generate secure, random passwords with custom rules.
Frequently Asked Questions
Why is a generated password safer?
Humans are predictable and tend to use dictionary words, dates, or simple patterns (like Password123!). Randomly generated passwords have high entropy, making them mathematically impossible to guess quickly.
Does this tool save my passwords?
Absolutely not. Passwords are generated locally in your browser using the secure Web Crypto API. They are never transmitted, tracked, or saved to any server.
How long should a strong password be?
Security experts recommend a minimum of 16 characters for critical accounts (like email or banking). However, 20+ characters are ideal if you are using a password manager.
Can password cracking tools guess these?
A 16-character password with mixed cases, numbers, and symbols would take a modern supercomputer trillions of years to brute-force crack.
How do I remember a 20-character random password?
You shouldn't try! Use a reputable Password Manager (like Bitwarden, 1Password, or Apple Keychain) to store generated passwords securely.
What does the "Exclude Ambiguous" setting do?
It removes characters that look similar and are easy to mistype (like an uppercase "I" and a lowercase "l", or the letter "O" and the number "0").
Detailed Guide
The Difference Between a Guessable and an Uncrackable Password
"Password123" gets cracked in under a second. "Fluffy2019!" in a dictionary attack — seconds. Your dog's name with your birth year — seconds. Any of those methods the average person uses to "make it memorable" are exactly what automated password-cracking tools are optimised to try first.
A cryptographically random password — one where each character is independently chosen from a character pool with no pattern — gives attackers nothing to work from. This generator creates exactly that. Every click produces a new password chosen with your browser's cryptographic random number generator. Your password never leaves your device.
How the Generator Works Under the Hood
Cryptographic randomness — not Math.random()
The Web Crypto API's crypto.getRandomValues() is used to generate each character index:
const array = new Uint32Array(length);
crypto.getRandomValues(array);
const password = Array.from(array, n => charset[n % charset.length]).join('');
This is a CSPRNG (Cryptographically Secure Pseudo-Random Number Generator). It draws from your operating system's entropy pool — hardware noise, timing jitter, interrupt randomness — not a predictable mathematical sequence. Math.random() is explicitly not used because it is deterministic and can be predicted if the seed is known.
Entropy — the real measure of password strength
Entropy (bits) = log₂(charset_size) × password_length
| Character Set | Size | Bits per Character | 16-char Entropy |
|---|---|---|---|
| Lowercase only | 26 | 4.70 | 75.2 bits |
| Lower + Upper | 52 | 5.70 | 91.2 bits |
| Lower + Upper + Digits | 62 | 5.95 | 95.2 bits |
| All (+ 32 symbols) | 94 | 6.55 | 104.8 bits |
At 10 billion guesses per second (world-class GPU cluster), 104 bits of entropy would take approximately 3 × 10¹³ years to brute-force. By comparison, an 8-character all-alpha password has ~38 bits — crackable in minutes with modern hardware.
Recommended Settings by Use Case
| Use Case | Recommended Length | Character Set | Notes |
|---|---|---|---|
| Standard web accounts | 16–20 chars | All types | Store in password manager |
| Master password (vault) | 20–25 chars | All types | Write down and store securely offline |
| Wi-Fi network (WPA2/3) | 16–20 chars | No ambiguous chars | You may need to type this manually |
| PIN / numeric codes | 8–12 digits | Numbers only | For systems requiring numer... |
Looking for a more detailed deep-dive and advanced tips?
Read Full Article on our BlogPrivacy Guaranteed
Your data never leaves this device. All processing is handled locally by JavaScript.