Is this generator cryptographically secure?

Yes. We use the Web Crypto API (crypto.getRandomValues) — the same RNG your browser uses for TLS. Math.random() is not used.

Entropy in bits measures how hard a password is to guess. 60+ bits resists offline attacks; 80+ bits is overkill but cheap. Length matters most.

Are passwords sent anywhere?

No. Generation happens in your browser using the Web Crypto API. Nothing is logged or transmitted.

Password Generator

Generate cryptographically secure passwords or passphrases in your browser. Entropy meter, length and character set controls, one-click copy.

Runs in browser
No signup
No tracking

Found this useful?Buy me a coffee

How to use Password Generator

Pick a length and character classes.
Or switch to passphrase mode for memorable diceware-style words.
Click Generate to roll a new value.
Copy with one click.

When to use it

Bootstrapping new account passwords.
Generating API keys, signing secrets, and seed strings.
Creating Wi-Fi passphrases that humans can type.
Demoing 'what does 80 bits of entropy look like'.

What it fixes

Reusing passwords across accounts.
Choosing memorable passwords that are easy to crack.
Generators that secretly use Math.random().

About Password Generator

A good password generator does three things: use a real RNG, let you control the character set, and tell you how strong the result is.

This one runs entirely in your browser using `crypto.getRandomValues` (the same RNG that powers TLS handshakes), shows live Shannon entropy in bits, and supports both random strings and EFF-style word passphrases. Lowercase, uppercase, digits, and symbols toggle independently. Avoid-similar mode strips ambiguous characters like `0/O` and `1/l/I`.

References: MDN — Crypto.getRandomValues · NIST SP 800-63B — Digital Identity Guidelines

Frequently asked

Is this generator cryptographically secure?
Yes. We use the Web Crypto API (crypto.getRandomValues) — the same RNG your browser uses for TLS. Math.random() is not used.
What is entropy?
Entropy in bits measures how hard a password is to guess. 60+ bits resists offline attacks; 80+ bits is overkill but cheap. Length matters most.
Passwords or passphrases?
Passphrases (e.g. 5 random words) are easier to type and remember at the same entropy. Use them for accounts you log into manually; use random strings for secrets stored in a manager.
Are passwords sent anywhere?
No. Generation happens in your browser using the Web Crypto API. Nothing is logged or transmitted.

Discussion

All tools

Password Generator

Result

Options