How secure are the generated passwords?

Very secure. Our generator uses the Web Crypto API for true randomness, making passwords extremely resistant to brute force attacks.

Are my generated passwords stored anywhere?

No. Passwords are created locally in your browser and never transmitted to any server.

How long should my password be?

We recommend at least 12 characters. For sensitive accounts, use 16 or more characters with mixed character types.

Password Generator

Generate strong, secure passwords with custom length and character options. Includes uppercase, lowercase, numbers, and symbols. Completely free and runs locally in your browser.

Password Length: 16

Uppercase (A-Z) Lowercase (a-z) Digits (0-9) Symbols (!@#$...)

What makes a password strong (it's not what most sites tell you)

Password strength is measured in entropy — the base-2 logarithm of the number of possible passwords an attacker would have to try. Entropy depends on the size of the character pool and the length of the password. If you use all 94 printable ASCII characters, each character contributes about 6.55 bits; a 12-character password gets you about 78 bits; a 16-character one gets you 105 bits. For reference, 80 bits is considered safe against any non-state-level attacker through the 2030s. Anything over 128 is overkill.

Length beats symbols — by a mile

A 20-character lowercase-only password (20 × log₂(26) ≈ 94 bits) is stronger than a 12-character password that uses all four character classes (≈ 79 bits), even though the second one looks more "secure" by site password meter logic. This is why NIST SP 800-63B stopped recommending forced complexity rules in 2017. If you can remember a long passphrase — four to five random unrelated words — you're safer than with P@55w0rd!. This generator defaults to 16 for that reason; slide it higher if you're paranoid.

Randomness is non-negotiable

This tool uses crypto.getRandomValues(), the browser's Web Crypto API. That's a cryptographically secure pseudorandom number generator — the same one used to generate TLS session keys. It is not Math.random(), which is seeded from the clock and is predictable. The difference matters: a password generator that uses Math.random() can theoretically be reverse-engineered by an attacker who knows roughly when you generated the password. This one can't.

How long a brute-force takes

Assume an offline attacker who stole a hashed password database and has a rig doing 100 billion guesses per second (a high-end consumer GPU setup on a fast hash like NTLM; much slower on bcrypt/Argon2):

8 chars, mixed: 6 quadrillion combos — about 17 hours. Don't.
10 chars, mixed: ~5 months.
12 chars, mixed: ~3,000 years.
16 chars, mixed: ~240 billion years.

Those numbers assume the attacker has the hash. For an online attacker hitting a login form through rate-limiting, even 10 characters is effectively infinite. The bigger modern threat is password reuse: when one site leaks, attackers try those passwords everywhere. A unique password per site is more important than making each one astronomically strong.

Use a password manager

Generating one good password is a nice trick. Generating a different one for every site you use and actually remembering them is impossible without help. 1Password, Bitwarden, KeePassXC (free, local-only), and the password managers built into iOS, macOS, Chrome, and Firefox all handle this for you. Generate your master password here; let the manager generate the rest, unique per site.

Privacy

Passwords are generated in the browser by calling crypto.getRandomValues() and are never transmitted anywhere. They're not written to localStorage, not logged to analytics, and not sent to our servers (there are no servers involved in the generation). Close the tab and the password disappears. If you want to convince yourself, right-click → View Source to read the generator code; it's about 30 lines.