§ 01 / TOOL
Password.
STATUS ACTIVESOURCE CRYPTOPRIVACY IN-BROWSER
> GENERATED
0 CHARS
SELECT AT LEAST ONE CHARACTER CLASS.
// STRENGTHSTRONG · 103 BITS
> OPTIONS
LENGTH16
616324864
§ 02 / ABOUT
What makes a password strong.
This generator uses crypto.getRandomValues — the browser's CSPRNG — to pick characters from your chosen alphabet. No server call, no analytics, no cookies. The password is rolled in your browser and never leaves it.
// ENTROPY, NOT LENGTH ALONE
- Entropy (bits) —
log₂(alphabet_size ^ length). Bigger is better. - Weak — < 60 bits. Crackable by a resourced attacker in reasonable time.
- Strong — 80–127 bits. Safe for most accounts.
- Excellent — 128+ bits. Overkill for almost everything. Use for vaults and keys.
// REAL-WORLD ADVICE
Use a password manager. Never reuse passwords across sites — one breach compromises all of them. Enable 2FA or passkeys wherever possible. A 16-character random password from this tool, stored in a password manager, beats any "clever" pattern you can remember.
Related: QR Code, Lorem Ipsum, Case Converter.
§ 02 / FAQ
Questions. Answered.
Is this password really random?+
Yes. Generation uses crypto.getRandomValues, the browser's cryptographically secure random source. It's rejection-sampled to avoid modulo bias, so every character in the pool has exactly equal probability.
Does the password leave my browser?+
No. Generation is 100% client-side. The password is never sent to a server, stored, or logged — and unlike the other tools, the URL does not sync either (we don't want passwords in browser history).
What length should I use?+
For most accounts, 16 characters with mixed case, numbers, and symbols is comfortably strong (≈ 105 bits of entropy). For password manager master passwords or high-value accounts, go 24+. Anything under 12 with symbols disabled is increasingly crackable.
How is strength calculated?+
Shannon entropy: bits = log2(pool size) × length. So 16 characters from a 94-character pool = 16 × log2(94) ≈ 105 bits. Anything over 80 bits is "strong" for most threats today; 128+ is "excellent" and essentially uncrackable by brute force.
Why exclude ambiguous characters?+
Reading a password aloud or copying from a printed page, characters like 0/O, 1/l/I, and 5/S/B are easy to confuse. The option strips them from the pool. It reduces entropy very slightly — usually a non-issue.
Is every character class guaranteed?+
Yes. If you enable lowercase + uppercase + numbers + symbols, the generator ensures at least one character from each appears in the final password. Some sites enforce this rule; we just do it by default so the output always works.
§ 04 / TOOLS
Related calculators.
§ 05 / READING