Password Generator
Cryptographically random passwords with explicit character-set controls and entropy reporting. Nothing is transmitted; nothing is logged.
What makes a password strong?
The strength of a random password is measured in bits of entropy. Entropy is the log base 2 of the number of possible passwords that could have been generated under the same rules. A password drawn uniformly from an alphabet of N symbols and of length L has entropy of L × log₂(N). A 24-character password drawn from 94 printable ASCII characters carries about 157 bits — well beyond what any classical or feasible quantum attack can brute-force in any meaningful timeframe.
| Entropy | Resistance | Recommendation |
|---|---|---|
| < 50 bits | Weak | Avoid for any sensitive account. |
| 50–70 bits | Online attacks | OK with rate limiting. |
| 70–100 bits | Offline attacks | Acceptable for most secrets. |
| 100+ bits | Long-term storage | Recommended for vault masters. |
Where the randomness comes from
This tool uses crypto.getRandomValues(), a cryptographic-grade source backed by the operating system's entropy pool. It is the same source used by browsers for TLS, WebCrypto signatures, and crypto.randomUUID(). No pseudo-random number generator like Math.random() is used.
Never paste a generated password into a tool you don't trust. This page generates passwords locally and never transmits them, but the only way to be sure is to verify the source. Pair this tool with a reputable password manager and 2FA wherever possible.
FAQ
Should I memorize a password this strong?
Generally, no. Use a password manager (1Password, Bitwarden, KeePassXC, the built-in macOS/iOS/Chrome managers) to store generated passwords. Memorize only your vault master password — make it a long passphrase rather than a random string.
What's a good length?
For most accounts, 16 characters drawn from all four classes (lower, upper, digit, symbol) is more than enough. Bump to 24+ for vault master passwords, root credentials, and recovery codes.
Why exclude ambiguous characters?
Useful when a password must be read aloud or hand-copied. The trade-off is a slightly smaller character set, which means slightly less entropy per character — keep the length the same and the impact is negligible.
Are passphrases better than random strings?
For things you must type often (vault master, full-disk encryption), a Diceware-style passphrase of 6 or more random words from a large list is easier to remember and still cryptographically strong. For non-memorable passwords stored in a manager, random strings are more compact.