ToolActToolAct

Password Generator

Generate strong passwords with custom length and character types

Password Configuration
416324864
UppercaseA-Z
Lowercasea-z
Numbers0-9
Symbols!@#$%^&*
Custom CharactersUse custom character set
Advanced Options

Exclude confusing characters like 0O, 1lI

Exclude Ambiguousi, l, 1, L, o, 0, O
Start with LetterEasier copy-paste
Click generate button to create password
Password StrengthWeak
Batch Generation
Click 'Generate Batch' button to create multiple passwords
History
No history yet

What is a Password Generator?

A password generator creates random, hard-to-guess passwords based on selected length and character rules. A good generator relies on cryptographically secure randomness and combines uppercase letters, lowercase letters, numbers, and symbols only when the target system can actually accept them. Strong passwords reduce the risk of dictionary attacks, brute-force guessing, and credential stuffing, but they do not replace good security habits such as using a password manager, keeping every account unique, and enabling multi-factor authentication. Very complex passwords should not be memorized or reused; they should be stored securely. For shared systems, rotation, ownership, and access rules also need clear handling.

How to Use

Generation Steps

  1. Select password length (minimum 12 characters recommended)
  2. Check character types: uppercase, lowercase, numbers, symbols
  3. Optionally exclude confusing characters like 0O, 1lI
  4. Click Generate button, repeat until satisfied

Password Strength

  • Weak: Less than 8 characters or single character type
  • Fair: 8-11 characters with mixed letters and numbers
  • Good: 12-15 characters with multiple character types
  • Strong: 16+ characters with all character types

Security Tips

  • All passwords are generated locally, never uploaded to servers
  • Use different passwords for different websites
  • Use a password manager to store passwords securely
  • Regularly change passwords for important accounts
  • Avoid using personal information in passwords

Use Cases

Generating passwords with precise character rulesSet length from 4 to 64 characters, choose uppercase, lowercase, numbers, symbols, custom character pools, exclusions, ambiguous-character removal, and whether the password must start with a letter. Passwords are generated and used locally - the page pulls entropy from crypto.getRandomValues and the resulting string is held in memory until you copy it into the destination application, so it is never uploaded to any service.
Creating batches for account setup or testingGenerate 5, 10, 20, or 50 passwords using the current rules and copy individual results from the batch list. Presets for simple, medium, strong, and PIN-style passwords make it quick to switch between real credentials and test data. Every value in the batch list is generated and used locally, which means the same session can produce throwaway fixtures and real account passwords without any of them crossing the network.
Keeping short local generation historyThe latest generated passwords are stored in localStorage with times and can be cleared from the page. This is useful during setup sessions, but the history behavior also makes it important to clear the list on shared machines. Because each entry is generated and used locally, the history file is the only copy in existence - removing it via the Clear button truly removes the value from the device.
Generating a memorable passphrase-style passwordDisable symbols, set length around 20, and let only lowercase and numbers combine so the result looks closer to a passphrase. Still rely on a password manager to store it - long strings are not designed for memorization. The randomness source stays in the browser tab, so the same passphrase generator can be used on a workstation that is offline or behind a restrictive firewall.
Creating test fixtures that match a target password policySet the same length, character classes, and exclusions the production validator enforces, then generate batches of 20-50 to seed QA, signup forms, or breach simulations. The generator does not validate against real systems, so double-check the policy itself. Because each fixture is generated and used locally, the same page can produce thousands of compliant test passwords without leaking the policy or the generated values through a network call.

Technical Principle

The password generator draws randomness from crypto.getRandomValues(new Uint32Array(n)), which fills a typed array with cryptographically secure pseudo-random values sourced from the operating system's entropy pool (getrandom on Linux, BCryptGenRandom on Windows, SecRandomCopyBytes on macOS/iOS). This is a CSPRNG as defined by the W3C Web Cryptography API — unlike Math.random(), which in V8 uses the xorshift128+ algorithm and is explicitly documented as non-cryptographic and predictable from a small sample of outputs. The character pool is assembled from user-selected character classes: uppercase (26 letters A-Z), lowercase (26 letters a-z), digits (10 characters 0-9), and symbols (32 characters from !@#$%^&*()_+-=[]{}|;:,.<>?), yielding a maximum pool of 94 characters. A custom character set or exclusion list (including an ambiguous-character filter that removes i, I, l, L, 1, o, O, 0) further refines the pool. Each password character is selected by taking array[i] % pool.length, which is uniformly distributed because the CSPRNG output is uniform over 32 bits and the modulo bias (|pool| does not divide 2^32 evenly) is negligible for pools under 256 characters — the bias is under 0.00000006%, far below any practical concern. Password strength is measured by the size of the search space: for a pool of size C and password length L, the number of possible passwords is C^L. The entropy in bits is log2(C^L) = L × log2(C). For a 16-character password with all four character classes enabled (C=94), this yields 94^16 ≈ 4.4 × 10^31 combinations, or about 105 bits of entropy. At a hypothetical attack rate of 10^12 guesses per second (roughly the throughput of a large GPU cluster against a fast hash like NTLM), exhaustive search would take approximately 4.4 × 10^19 seconds — far longer than the age of the universe. This model assumes the attacker must test every combination (no dictionary or pattern-based shortcuts) and that the password is hashed with a slow, salted algorithm like bcrypt or Argon2id rather than stored in plaintext. NIST SP 800-63B recommends a minimum of 8 characters for user-chosen passwords and at least 6 randomly generated characters for machine-generated credentials, with the character set documented. The generator's length range of 4–64 characters covers everything from PIN codes to high-entropy machine credentials. The start-with-letter option ensures the first character is drawn from [A-Za-z], which satisfies legacy systems that require passwords to begin with a letter.

  • CSPRNG source: crypto.getRandomValues() pulls entropy from the OS kernel's CSPRNG (getrandom/BCryptGenRandom/SecRandomCopyBytes) — unlike Math.random() (xorshift128+), it is not predictable, not seedable by the page, and suitable for credential generation.
  • Character space math: With all four classes enabled the pool size is 94; entropy per character is log2(94) ≈ 6.55 bits. A 16-character password carries ~105 bits of entropy; doubling the length to 32 raises this to ~210 bits.
  • Modulo selection: array[i] % pool.length maps the 32-bit CSPRNG output to a character index — the bias is under 6 × 10^-8 % for pools under 256 characters, making it cryptographically irrelevant.
  • Brute-force resistance model: At 10^12 guesses/second (GPU cluster scale), a 16-character, 94-symbol password would take ~10^19 seconds to exhaust — but this assumes a fast hash; bcrypt at cost factor 12 drops the attacker to ~10^4 guesses/second, making even 8-character passwords resilient.
  • Ambiguous character exclusion: The filter removes {i, I, l, L, 1, o, O, 0} (8 characters) — this reduces the pool from 94 to 86, costing roughly 0.6 bits of entropy per character, which is acceptable for the usability gain in manual transcription scenarios.
  • NIST SP 800-63B alignment: The standard requires a minimum of 6 randomly chosen characters for machine-generated secrets and recommends documenting the character space — the generator's presets (Simple 8-char, Strong 20-char) map to different assurance levels.
  • localStorage history: The last 10 generated passwords are persisted in window.localStorage, which is scoped to origin and browser profile — clearing history removes them from storage, but a disk-level forensic tool could recover them because localStorage is stored as a plaintext SQLite database in the browser profile directory.

Examples

Strong password (mixed character classes)

Kx9#mP2$vL7@nQ4!  -  16 characters, all four classes (upper/lower/digit/symbol)
Strength: extremely high; even at 10 billion guesses per second, brute-forcing would take centuries

PIN code (4 digits)

8527  -  4 numeric digits
Strength: 10,000 combinations; suitable only for device unlock with rate-limiting and lockout, not online accounts

Password strength comparison

8 chars, lowercase only : 26^8      ≈ 2.08e11 combinations
8 chars, mixed classes   : 94^8      ≈ 6.10e15 combinations
16 chars, mixed classes  : 94^16     ≈ 3.7e31 combinations
Note: each extra character multiplies the keyspace by 94, not by 8 - length matters more than class count

FAQ

Is the password generated in my browser?

Yes. The page uses crypto.getRandomValues from the Web Crypto API, which provides cryptographically strong random bytes. The password never leaves your device, is not logged, and is not derived from a deterministic seed. Refresh the page to start a fresh entropy sequence if you want to be sure.

What length and character mix should I pick?

For online accounts, 16+ characters with uppercase, lowercase, digits, and symbols is the modern minimum. For master passwords (password manager, encryption keys), 20+ characters or a 6-7 word passphrase is safer. Length matters more than character set complexity past a certain point.

Why do some sites reject the password I just generated?

Some sites still enforce surprising restrictions: maximum length (often 12-20), no symbols, only specific allowed symbols, or no whitespace. The page exposes character toggles so you can match the rules. Report the offending site - those policies actively weaken security.

Are some characters intentionally avoided?

If you enable the 'avoid look-alike characters' option, the generator excludes 0/O, 1/l/I and similar pairs that are easy to misread when copying off paper or a sticky note. Disable it for the maximum entropy when you'll only use the password digitally.

Is a long random password safer than a passphrase?

At equal entropy, both are equally hard to brute-force. A 16-character mixed password is roughly equivalent to a 6-word random-from-2000-word-list passphrase. Passphrases are easier to type and remember; pure random strings are easier to paste from a manager. Pick by use case.

Can I trust this for password manager master keys?

Yes - the source of randomness is the same Web Crypto API your browser uses for HTTPS keys. That said, for ultra-high-stakes secrets (master keys, recovery codes), people often prefer to roll dice (diceware) or use an offline tool, simply to remove the browser entirely from the trust chain.

Should I store the generated password here?

No. The page does not save passwords; copy it into a password manager (1Password, Bitwarden, KeePass, the browser's built-in manager) immediately. Closing the page or hitting refresh discards it permanently.