Generate strong passwords locally in your browser. Customize lengths, characters, and rule sets.
Password security is the first line of defense against unauthorized account access. A strong password combines sufficient length with character set diversity to resist both brute-force exhaustive search attacks (trying all combinations) and dictionary attacks (trying common words and patterns). Weak passwords — short, predictable, or reused — are the most common cause of account compromises in data breach investigations.
This password generator uses the browser's cryptographically secure pseudo-random number generator (CSPRNG) via the Web Crypto API to produce high-entropy passwords with zero server-side involvement. Generate passwords meeting specific complexity requirements: minimum uppercase letters, numbers, and symbols; exclude ambiguous characters (O/0/l/1/I); and produce printable-ASCII-only or extended character set passwords.
Password security is quantified in bits of entropy: log₂(charset_size^length). A 12-character alphanumeric password (62-character charset) has log₂(62^12) ≈ 71 bits of entropy. Current cryptographic best practice recommends ≥ 80 bits of entropy for passwords (128 bits for high-security credentials). At 71 bits, even at 1 trillion guesses per second, brute-force would take an expected 1.5 billion years.
Character set expansion drastically improves entropy: adding symbols expands from 62 to 95+ characters, increasing entropy per character from log₂(62) ≈ 5.95 bits to log₂(95) ≈ 6.57 bits. Adding even 4 more characters to password length at 62-character charset increases entropy more than adding all printable symbols at fixed length. Both length and character diversity matter — neither alone is sufficient.
NIST SP 800-63B (Digital Identity Guidelines, 2017) updated password policy recommendations dramatically, moving away from arbitrary complexity rules toward length-based strength. Key current recommendations: minimum 8 characters for user-generated passwords (15+ recommended), no mandatory periodic password rotation without evidence of compromise, allow pastes into password fields to support password managers, and check new passwords against known-compromised password lists.
Mandatory complexity rules (must contain uppercase, number, symbol) paradoxically make passwords more predictable — users add a capital at the start, a number and symbol at the end (Password1!), and make trivial substitutions. Pure length with high entropy randomness — a 20-character random string from a password generator — is more secure and computationally unique than a short complex word-based password.
NIST recommends a minimum of 8 characters but 15+ characters for significant accounts. For random machine-generated passwords (stored in a password manager), 20-32 characters provides enormous security headroom. At 20 characters with alphanumeric+symbols (95-char charset), entropy exceeds 130 bits — effectively brute-force immune with any plausible near-future computing technology.
Yes, if the tool uses the Web Crypto API (crypto.getRandomValues) and processes entirely client-side without server communication. This generator uses the browser's CSPRNG seeded from operating system entropy and transmits no password data over the network. The generated passwords never leave your device and are not stored anywhere. Close the tab to discard them from browser memory.
Password entropy measures unpredictability in bits: H = L × log₂(N), where L is password length and N is the charset size. A 12-character password from a 95-character printable ASCII set has H = 12 × log₂(95) ≈ 12 × 6.57 ≈ 78.8 bits. Entropy in bits represents the work factor: 2^78.8 guesses needed to exhaustively search the space. At 10^12 guesses/second, this takes about 800 million years.
Yes — password managers are the correct tool for using unique, strong passwords everywhere. Generate a new random password from this tool for each account, then store it in your password manager. This solves the reuse problem (breaching one site doesn't compromise others), the memory problem (you don't need to remember them), and the strength problem (machine-generated passwords are stronger than human-chosen ones).
For human-typed passwords: avoid visually ambiguous characters like O (oh), 0 (zero), l (lowercase L), 1 (one), I (capital i). This generator has an 'exclude ambiguous' option. For passwords that are copy-pasted: most systems accept any printable ASCII; avoid only characters your specific system rejects (some applications refuse quotes, semicolons, or backslashes in passwords). Machine-generated passwords stored in password managers need no such constraints.