Password Generator
Generate strong passwords and passphrases using cryptographically secure randomness.
How It Works
All randomness comes from crypto.getRandomValues(), a cryptographically secure
pseudo-random number generator (CSPRNG) built into every modern browser. Passwords are generated
entirely in your browser — nothing is ever sent to a server.
Entropy measures how unpredictable a password is. Password entropy is length × log₂(pool size). A 16-character password using all character sets has
~105 bits of entropy — at a trillion guesses per second, brute-forcing it would take longer
than the age of the universe. Generally, 80+ bits is considered very strong.
Rejection sampling is used when selecting characters to avoid modulo bias — a subtle flaw where some characters are slightly more likely to appear when the pool size doesn't divide evenly into the random number range. Random values outside the largest multiple of the pool size are discarded and redrawn.
Passphrases (inspired by Diceware) chain random words from a 1,547-word list. Each word contributes ~10.6 bits of entropy. A 4-word passphrase is easy to remember and provides ~42 bits of entropy — often stronger than a shorter complex password, and far more memorable.
Length beats complexity. Adding one more character to a 16-char password increases entropy by ~6.5 bits — equivalent to adding another character set. For passphrases, one more word adds ~10.6 bits.
Related Tools
Frequently Asked Questions
How long should a password be?
At minimum 12 characters for general accounts; 16+ for sensitive accounts like email and banking. Every additional character multiplies the brute-force search space exponentially. A 16-character random password has roughly 105 bits of entropy — effectively uncrackable.
Are passphrases more secure than random character passwords?
It depends on length. A 4-word Diceware passphrase has ~51 bits of entropy. A 12-character random password with all character types has ~79 bits. Use 5–6 words for a passphrase that beats a short complex password while remaining memorable.
Is this password generator safe?
Yes. All randomness comes from crypto.getRandomValues(), the browser's cryptographically secure RNG. Passwords are generated entirely in your browser and never sent to any server.
Should I use a password manager?
Yes. A password manager lets you use a unique, strong, random password for every account without memorising them. Popular options include Bitwarden (open source, free), 1Password, and Dashlane.
What makes a password strong?
Length is the single biggest factor. After that: using all character types (upper, lower, digits, symbols), avoiding dictionary words, and not reusing passwords across sites. A password manager + a strong unique password per site is the gold standard.