Secure Password Generator

Generate cryptographically random passwords using crypto.getRandomValues — not Math.random. Configure length and character classes. Bulk-generate up to 100. Nothing is logged or transmitted; refresh the page and the generated passwords are gone.

Length Count

How to use the Secure Password Generator

Pick a length (20+ is recommended for anything important), pick the character classes you need, and click Generate. The tool produces the requested number of passwords with at least one character from each enabled class. Use "Exclude ambiguous" when the password might be read aloud or copied from a screen.

What makes a password strong

Two factors: length and randomness. Length matters more — a 20-character password from a 95-character alphabet has 128 bits of entropy, well past brute-force in any reasonable timeframe. A 12-character password from the same alphabet has 76 bits; still safe today but trending borderline as GPU clusters get cheaper.

What does NOT make a password strong: cleverness. Substituting 0 for O or @ for A adds essentially zero entropy because attackers know to try those. The strongest passwords are random sequences from a wide alphabet, generated by software you trust (this tool uses the browser's WebCrypto API).

For human-memorable passwords (you'll need to type rather than paste), use a passphrase: 5+ random words from a large dictionary. correct horse battery staple style. The EFF dice-word lists are a good source.

Common use cases

API keys, secrets in .env files, database passwords — any machine-to-machine credential where you'll paste, not type.
Random tokens for invitation links, password-reset URLs, share IDs.
Initial passwords for new accounts (force a change on first login).
Single-use passwords for cases where a password manager isn't available.

For day-to-day human accounts (email, banking, etc.), use a password manager — Bitwarden, 1Password, Apple Keychain. The generator inside your password manager is just as random as this one, and the manager handles storage so you never have to remember.

Frequently asked questions

Is this safe? Could the generated passwords leak?

The generation uses the browser's crypto.getRandomValues, which delegates to the OS's cryptographic PRNG. Generated passwords exist only in the page DOM; reloading clears them. No network request fires on generate. The only leak vector is your local environment — a screen recorder, an unprivileged process reading browser memory, a malicious extension.

How long should my password be?

For machine credentials: 32+ characters from the full alphabet (192+ bits of entropy — uncrackable). For human-memorable: a 5-6 word passphrase. For typed daily passwords protected by 2FA: 16-20 character random suffices.

Should I include symbols?

Some legacy systems reject specific symbols. Generic password fields accept everything. If the target rejects your symbols, use the "Exclude ambiguous" + uppercase + numbers + lowercase combination at length 24+ — still strong without symbols.