Password Generator — Strong & Secure
Generate strong, cryptographically random passwords with customizable length and character sets. Includes a real-time strength meter showing bits of entropy, crack time estimate, and character set pool size. All generation runs in your browser — passwords are never transmitted.
Count
Pro — passphrase generator, zxcvbn strength analysis, bulk 1000+, API access
API access · Priority queue · Team workspace
How It Works
Set Your Requirements
Drag the length slider (4–128 characters), check the character sets you want (uppercase, lowercase, numbers, symbols), and toggle exclusions for ambiguous characters (0, O, l, 1, I — which look similar in many fonts) and visually similar characters. The character pool size and resulting entropy update instantly as you change settings, so you can tune the password to your exact requirements.
Generate & Evaluate
Click Generate or press the refresh icon. The password is generated character by character using crypto.getRandomValues() with rejection sampling to eliminate modulo bias. The strength meter shows the entropy in bits (log₂(pool^length)), a color-coded strength rating (Weak/Fair/Good/Strong/Very Strong), and an estimated crack time at 100 billion attempts per second (GPU brute-force rate).
Copy or Generate Bulk
Copy the single password to clipboard, or enter a count (1–50) and click Generate All to produce multiple passwords at once. Each password in the bulk list has its own Copy button. Click Copy All for newline-separated output ready to paste into a spreadsheet or secret manager import file, or Download as a text file.
Password Generator Features
Entropy & Strength Meter
The strength meter calculates Shannon entropy: entropy = length × log₂(pool_size). A password with 128 bits of entropy from a 94-character pool (all printable ASCII) is considered uncrackable by brute force with current technology. The crack time estimate uses 100 billion guesses per second — a realistic rate for a modern GPU cluster. The color bar goes from red (weak, under 40 bits) to green (very strong, 128+ bits).
Cryptographically Secure
Passwords are generated using crypto.getRandomValues() with rejection sampling: random bytes are drawn from the CSPRNG and characters whose index is in a range that would cause modulo bias are discarded and redrawn. This ensures a perfectly uniform distribution across the character set — no character is more or less likely than any other, which is essential for maximum password security.
Ambiguous Character Exclusion
Toggle "Exclude ambiguous" to remove characters that look similar in many fonts: 0 (zero) and O (capital letter o), l (lowercase L) and 1 (one) and I (capital i). These characters cause errors when manually transcribing passwords from a screen or printed paper. Excluding them slightly reduces the character pool (and entropy) but significantly reduces manual transcription errors for passwords that will be typed by hand.
Bulk Password Generation
Generate 1–50 passwords in a single click using the same settings. Each password is independently generated with fresh random bytes. The bulk list shows all passwords with individual copy buttons. Useful for provisioning temporary passwords for a batch of new user accounts, generating API keys for development environments, or creating a set of test credentials for security audits.
Fully Customizable
Mix and match any combination of character sets: 26 uppercase letters, 26 lowercase letters, 10 digits, and 32 symbols (common punctuation and special characters on a standard keyboard). Apply optional exclusions for ambiguous and similar characters. Set length anywhere from 4 to 128 characters. The pool size updates in the strength display, letting you see exactly how many possible passwords exist for your current settings.
100% Private
Passwords are generated and displayed entirely in your browser. Nothing is sent to any server, logged, or stored. No analytics on the passwords you generate. Safe for generating passwords for production systems, banking accounts, secret manager master passwords, and any other high-security context. Disconnect from the internet and confirm the tool still works — there is no server dependency.
Free vs Pro
| Feature | Free | Pro |
|---|---|---|
| Full character set customization | ||
| Entropy meter + bulk 50 | ||
| Passphrase generator (word-based) | — | |
| zxcvbn realistic strength analysis | — | |
| Bulk 1,000+ passwords | — | |
| REST API access | — |
Frequently Asked Questions
For most accounts, a random password of 16+ characters from a mixed character set (uppercase, lowercase, numbers, symbols) provides sufficient security. A 20-character password from the full ASCII printable set has approximately 131 bits of entropy — requiring 10²⁷ years to brute-force at 100 billion attempts per second. NIST guidelines (SP 800-63B) recommend a minimum of 8 characters for user-generated passwords and 6+ for multi-factor contexts. For high-value accounts (email, banking, password manager master), use 20+ characters.
Password entropy measures the unpredictability of a password in bits. A password with N bits of entropy has 2^N possible values. Each additional bit doubles the number of possibilities — going from 60 bits to 61 bits makes the password twice as hard to crack. For a random password, entropy = length × log₂(character_pool_size). A pool of 94 characters (all printable ASCII) contributes 6.55 bits per character. The entropy meter in this tool shows the actual entropy in bits and a crack-time estimate.
Yes — for most people, a password manager is the single most impactful security improvement they can make. It allows you to use a unique, strong random password for every account without needing to memorize any of them. You only need to memorize one strong master password. Modern password managers (Bitwarden, 1Password, KeePassXC) offer browser integration, mobile apps, and auto-fill. Use this generator to create passwords, then store them in your password manager.
Characters like O (capital O) and 0 (zero), l (lowercase L) and 1 (one) and I (capital I), look identical or nearly identical in many fonts — especially in printed output, terminal displays, and some website UIs. When a password needs to be typed manually from a screen or printout, confusing these characters causes login failures. Excluding them trades a small reduction in entropy (a few bits) for a much lower chance of manual transcription errors. If you use auto-fill via a password manager, keeping ambiguous characters is fine.
Symbols add entropy, but length matters more. A 20-character lowercase-only password has 20 × 4.70 = 94 bits of entropy. A 12-character all-sets password has 12 × 6.55 = 78.6 bits — weaker than the longer lowercase-only password. The best strategy is to maximize both: use all character sets AND a long password. The entropy meter shows you the exact bit count so you can compare configurations. Note that some systems have maximum length limits or block certain symbols — adjust accordingly.
Yes — all generation runs locally in your browser using the OS-level CSPRNG via crypto.getRandomValues(). No password is transmitted to any server, logged, or stored. The page contains no analytics or external tracking scripts that could observe generated passwords. You can verify by opening browser developer tools, switching to the Network tab, and confirming no requests are made when generating passwords. Safe for generating passwords for high-value accounts and production systems.