Strong Password Generator
Cryptographically-secure random passwords using window.crypto.getRandomValues(). Adjust length, choose character sets, exclude ambiguous characters. Runs entirely in your browser.
What makes a strong password?
A strong password is one that's effectively impossible to guess by brute force in a reasonable amount of time, and that doesn't appear in any password breach database. Three things drive that: length (more characters = exponentially more guesses needed), character variety (using upper, lower, digits and symbols expands the search space per character), and randomness (a truly random password doesn't follow predictable patterns the way a human-chosen one does).
This generator delivers all three. Length is your choice. Character sets are toggleable. Randomness comes from your browser's crypto.getRandomValues() API β a cryptographically secure random number generator suitable for keys, tokens and passwords.
How long should a password be?
- 8 characters β minimum that meets most password policies. Crackable in hours with a modern GPU. Don't use this.
- 12 characters β current OWASP minimum. Crackable in days/weeks for fast offline attacks but generally safe against online attacks.
- 16 characters β solid baseline for personal accounts. Effectively uncrackable.
- 20+ characters β recommended for important accounts (email, banking, password manager master).
- 32β64 characters β recommended for service-account credentials and API tokens.
Length matters far more than complexity. A 20-character all-lowercase random string is harder to crack than an 8-character "complex" password with all four character classes.
Character sets β when to include each
- Uppercase + lowercase + digits + symbols β recommended for the vast majority of accounts.
- Lowercase + digits only β use only when the destination system rejects mixed case or symbols (rare in 2026).
- No symbols β useful when you'll have to type the password on a mobile keyboard regularly.
- No ambiguous β toggling "Exclude ambiguous" removes characters that look alike (O/0, l/1, I/|, S/5). Helpful when you'll need to read the password out loud or type it from print.
Passwords you should generate, not memorise
Your password manager's master password is one you should memorise β make it a long, memorable but high-entropy passphrase (5β6 random English words, ~70 bits entropy). Every other password should be machine-generated, stored in the password manager, and never memorised. Letting humans pick "their" passwords for each site is the source of most password breaches.
Tips and best practice
- Use a password manager. 1Password, Bitwarden, Keeper, Apple Passwords. Generate per-site, never reuse.
- Enable two-factor authentication everywhere. Even a perfect password is only one factor.
- Check breach databases β Have I Been Pwned, your password manager's built-in checker.
- Don't email passwords. Use a password manager's sharing feature or a one-time-secret service.
- Don't reuse passwords across sites β breach on one site exposes accounts on every other.
FAQs
Is this truly random?
Yes β uses the browser's crypto.getRandomValues() API which is cryptographically secure. Not the same as Math.random().
Is the password ever sent to a server?
No. Generation runs entirely in your browser.
Can I generate many at once?
Yes β set "Count" above 1.
What about passphrases (multi-word) instead of passwords?
Coming in a future tool. For now, this generates dense random strings.
Why exclude ambiguous characters?
When you need to type from screen or read out loud, O/0 confusion is real. Tick the box to remove them at the cost of a small reduction in entropy.