What is a password generator?

A password generator is a tool that creates random, hard-to-guess passwords using cryptographic randomness. Strong passwords are the single most important defense against account takeover – the 2024 Verizon Data Breach Report found that over 80% of hacking-related breaches involved weak, reused, or stolen passwords. This generator uses your browser’s built-in crypto.getRandomValues() API which is certified for cryptographic use – the same source of randomness used by banks and security software. Your generated passwords never touch our server, they exist only in your browser tab.

How to use this tool

1. Set the length — Use the slider to choose between 4 and 64 characters. We recommend 16+ for online accounts and 20+ for critical accounts like email and banking.
2. Pick character types — Toggle uppercase letters, lowercase letters, numbers, and symbols. More variety = stronger password. For maximum security keep all four enabled.
3. Optional toggles — Enable ‘Exclude lookalikes’ to avoid confusing characters like 0/O and 1/l/I. Enable ‘Readable’ for memorable passwords using alternating consonants and vowels.
4. Generate & copy — Click ‘Generate New Password’ or the refresh icon. The strength meter shows entropy in bits and a Weak/Fair/Strong/Very Strong label. Click ‘Copy’ to put it on your clipboard.
5. Store in a password manager — Paste it into Bitwarden, 1Password, or your browser’s built-in manager. Never reuse it across accounts.

How the strength meter works (entropy explained)

Password strength is measured in bits of entropy — the number of guesses an attacker would need on average to crack it. The formula is:

Entropy (bits) = length × log₂(pool size)

Pool size = number of possible characters. With all 4 types enabled (uppercase, lowercase, numbers, symbols) the pool is about 90 characters. So a 16-character password has 16 × log₂(90) ≈ 104 bits of entropy. That is more than the 128-bit threshold for being effectively uncrackable by current technology.

• Under 40 bits — Weak. Can be cracked in seconds to hours.
• 40-60 bits — Fair. Hours to weeks.
• 60-80 bits — Strong. Years.
• Over 80 bits — Very Strong. Centuries with current hardware.

Examples

• Banking / email account: 20 characters, all types, no lookalikes — example: K9j!mPq2Vx&7nF4tBzRY (about 130 bits of entropy)
• Social media: 16 characters, all types — example: 4kF$qLm8XzPb!7Yh (about 104 bits)
• Wi-Fi password (memorable): Readable mode, 20 chars — example: Kolep-Tisaba-Ronufi-93 (easier to dictate over the phone)
• Throwaway accounts: 12-character all-types is enough for low-value sites

Compare these to common bad patterns: password123 has 35 bits, Qwerty@2024 has 50 bits — both fall to common dictionary attacks within minutes.

Tips & best practices

• Use a unique password for every account — one breach should never expose all your accounts
• Combine this generator with a password manager (Bitwarden free tier is excellent) so you do not have to remember any of them
• Enable 2-factor authentication (2FA) on email, banking, and social media — it blocks 99% of automated attacks even if your password leaks
• For passwords you need to type often (laptop login, Wi-Fi), use the Readable mode — 20-character readable passphrases are still over 80 bits of entropy
• Check breach databases like haveibeenpwned.com to see if your old passwords have leaked
• Never share passwords over chat or email — share via a password manager’s secure send feature instead

Limitations & notes

This tool uses the Web Crypto API which is available in all modern browsers (Chrome 11+, Firefox 21+, Safari 7+, Edge 12+). If you are using an obscure browser it will fall back to less secure randomness — in that case use Chrome, Firefox, or Safari. The generated password is only as secure as where you store it — writing it on a sticky note defeats the purpose. Use a reputable password manager.

Frequently Asked Questions

Is this password generator safe to use?

Yes. The entire generator runs in your browser using the cryptographically-secure crypto.getRandomValues() API. Passwords are never sent to our server, logged, or stored anywhere. You can verify this by disconnecting your internet after the page loads – the tool will still work.

How long should my password be?

16 characters is the modern recommendation for online accounts. 20+ characters for critical accounts (email, banking, password manager master password). Length matters more than complexity – a 20-character lowercase password is harder to crack than a 10-character mixed-case password.

Should I use symbols in my password?

Yes, when the site allows it. Symbols expand the character pool from 62 (alphanumeric) to about 90 (with !@#$%^&*()-_=+[]{}<>?,.), which adds about 0.5 bits of entropy per character. Some sites still block certain symbols – if you hit that, increase length instead.

What is the ‘Readable’ mode for?

Readable passwords alternate consonants and vowels to create pronounceable words. They are easier to dictate over the phone, type on a phone keyboard, or memorize. The trade-off is slightly lower entropy per character, but you make up for it by using more characters.

Can I use this for Wi-Fi or router passwords?

Yes. For Wi-Fi we recommend the Readable mode at 20+ characters since you may need to share it with guests. For router admin passwords use full-strength 24+ characters.

Why does the same input give different passwords every time?

True random number generation, by definition, produces different outputs every time. This is desired – if the same inputs always produced the same password, attackers could brute-force the generator instead of the password.

Are auto-generated passwords from my browser as secure?

Yes – Chrome, Firefox, and Safari all use crypto-secure random sources just like this tool. The advantage of a dedicated generator is finer control over length, character types, and the ability to generate without an account form open.

Related tools

Hash Generator · Random Number Generator · UUID Generator