Password Generator
Generate strong, random passwords with custom length and character options. Everything runs in your browser.
Everything on this page runs in your browser. No password is sent to any server. The generator uses the Web Crypto API (window.crypto.getRandomValues), which provides cryptographically secure randomness, not the weaker Math.random() that many online generators use.
This generator uses window.crypto.getRandomValues, the browser's cryptographically secure random number generator. This is the same entropy source used in professional security tools, unlike Math.random() which is not suitable for security purposes.
What makes a password strong
Password strength comes from entropy, which is determined by the size of the character set and the password length. A 16-character password using uppercase, lowercase, numbers, and symbols has a character set of about 95 printable ASCII characters. The number of possible combinations is 95^16, which is approximately 4 x 10^31. Brute-forcing this at 1 trillion guesses per second would take longer than the age of the universe. Length matters more than character set complexity at practical lengths.
Password manager vs memorized passwords
The only practical way to use strong unique passwords for every account is a password manager (Bitwarden, 1Password, Dashlane, KeyPass). Memorizing a 16-character random password for every site is not realistic. A password manager generates and stores unique passwords per site, encrypted by a single strong master password that you do remember. This is both more secure and more convenient than reusing passwords or using weak memorable ones.
Passphrases as an alternative
A passphrase (4-5 random words: "correct-horse-battery-staple") is often more memorable and surprisingly strong. Five random words from a 7,776-word list (diceware) produces approximately 64 bits of entropy, comparable to a 10-character truly random password with full character set. Passphrases are better for master passwords that must be memorized; random character passwords are better for everything stored in a password manager.
Frequently asked questions
How often should I change passwords?
NIST (the US National Institute of Standards and Technology) updated its guidance in 2017: stop requiring regular password changes unless there is evidence of compromise. Forced frequent rotation leads to weaker passwords (Password1! becomes Password2!). Use a unique strong password per site and change it only when a breach is known or suspected.
What about two-factor authentication?
A strong password plus 2FA (two-factor authentication) is dramatically more secure than a strong password alone. Even if a password is compromised, 2FA prevents account access without the second factor. Use app-based 2FA (Google Authenticator, Authy) over SMS-based 2FA when possible, as SMS can be intercepted via SIM swapping.