DeveloperGeneralCreatorsecurityutilities

Password Generator

Generate strong, cryptographically random passwords and passphrases with a real-time strength meter.

Cryptographically random passwords and passphrases, generated entirely in your browser. Nothing is sent to a server.

Generate a password

Settings update the password instantly. Use the colour coding to confirm all selected character types are present.

Set at least one character type to generate.

0 chars

Length — 16 characters

6128

Character sets

UppercaseA–ZLowercasea–zNumbers0–9Symbols!@#$

Options

Exclude similarl 1 I O 0Exclude ambiguous{} [] () /

Include your text

These characters are woven into the password at random positions.

About password security

What makes a password strong?

Password strength is determined by two things: the size of the character pool and the length of the password. Together these determine entropy — measured in bits — which represents how many guesses an attacker would need to try in the worst case.

A 16-character password using uppercase, lowercase, numbers, and symbols draws from a pool of roughly 90 characters. That gives approximately 104 bits of entropy — more than enough to defeat even the most powerful offline attack rigs running billions of guesses per second.

Password vs. passphrase — which is better?

Both are strong when generated correctly. The practical difference is usability:

Random passwords are maximally dense — short strings pack a lot of entropy. They are ideal for password manager storage where you never need to type or remember them.
Passphrases trade density for memorability. Four or five random common words joined by a separator (e.g. Silver-Castle-Thunder-Forest) are genuinely random, surprisingly strong, and human-typeable — good for master passwords or device unlock codes.

Why exclude similar characters?

Characters like l, 1, I, O, and 0 are visually indistinguishable in many fonts, especially in printed or handwritten passwords. Excluding them trades a small amount of entropy for a much lower chance of transcription errors. For passwords stored in a manager, you don't need this — enable it when the password will be read by a human.

How secure is this generator?

This tool generates passwords entirely in your browser using the Web Crypto API (crypto.getRandomValues), which produces cryptographically secure random numbers. No password is ever sent to a server, stored, or logged. The page has no backend contact when you generate.

Frequently asked questions

How long should my password be?

16 characters is a solid baseline for most accounts. For high-value accounts — email, banking, password manager master password — use 20+ characters or a 5-word passphrase.

Should I use a password manager?

Yes. A password manager lets you use a unique, randomly generated password for every site without having to remember any of them. The only password you need to remember is the master password — make it a strong passphrase.

What is the crack time estimate based on?

It assumes an offline attack at 10 billion guesses per second — roughly the throughput of a high-end GPU cluster running a fast hash like MD5. Against bcrypt or Argon2 (which good services use), the real crack time would be vastly longer.

Is it safe to use this generator for real passwords?

Yes. All generation happens client-side using the Web Crypto API. Nothing leaves your browser. You can also disconnect from the internet before generating if you want complete certainty.

Why does the colour coding in the password display matter?

Colour coding makes it easier to confirm at a glance that the password contains the character types you selected — especially useful when you need to type it manually somewhere.