Password Generator
Generate strong, random passwords using the browser's Web Crypto API — the same cryptographically secure random source that browsers use for TLS handshakes. Pick your length and character classes, hit Generate, and copy the result into your password manager. Nothing is sent to a server.
Quick answer
Use at least 14 characters with uppercase, lowercase, numbers, and symbols. Never reuse passwords. Store them in a password manager (Bitwarden, 1Password, KeePassXC). This generator uses crypto.getRandomValues() — a real CSPRNG, not Math.random.
Password Generator
How the password generator works
This generator uses crypto.getRandomValues() — the browser's Web Crypto API —
to produce cryptographically secure random bytes. Unlike Math.random(), which
is a deterministic pseudo-random function suitable for games but not for security,
getRandomValues() reads from the operating system's entropy pool. On modern
computers that pool is seeded by hardware sources (mouse movements, keyboard timings,
thermal noise, disk I/O) and cannot be predicted by an attacker.
For each character position, the generator picks a random index into your chosen character set (uppercase + lowercase + numbers + symbols, by default). A 16-character password drawn from a 94-character set has about 10^31 possible values — more than a trillion-trillion combinations. At a brute-force rate of 1 billion guesses per second, it would take longer than the age of the universe to check them all.
When to use it
Use a fresh generated password anywhere you create a new account. The critical accounts to secure first are: email (because password resets for every other account flow through your inbox), banking and investment accounts, work SSO, and anything with stored payment methods. Everything else is lower priority but still worth rotating to unique passwords over time.
Generate longer passwords (20+ characters) for high-value accounts. Shorter ones are fine for throwaway signups. The golden rule is never reuse passwords — a password manager makes "unique for every site" actually practical.
Common mistakes
- Reusing one strong password everywhere. A single site's data breach then hands attackers the key to every other account. Unique per-site passwords are the whole point.
- Storing passwords in the browser's built-in manager and nothing else. Browser password stores are fine for convenience but most have weaker security than a dedicated manager. If the computer is compromised, the whole store is often readable.
- Writing passwords on sticky notes. Physical theft and shoulder surfing are real risks. A password manager is safer.
- Relying on password "strength meters" on sign-up forms. They check for things like "uses a dictionary word" but often miss the real weakness: you used the same password on another site that got breached.
- Ignoring 2FA. Even the strongest password can be phished. Two-factor authentication (ideally via an authenticator app or hardware key, not SMS) adds a second layer that phishing alone can't beat.
Frequently asked questions
How long should a password be?
At least 14 characters with mixed character types. 16–20 characters is strong for most accounts; 20+ for email and banking.
Is this password generator secure?
Yes. It uses the browser's Web Crypto API, which is a cryptographically secure random number generator. Nothing is sent to a server.
Should I reuse passwords across sites?
No. Reusing passwords means one site's breach gives attackers access to all your accounts. Use a unique password for every account.
What password manager should I use?
Popular options include Bitwarden (free, open-source), 1Password (paid, polished), KeePassXC (free, local-only), and Apple iCloud Keychain.
How do I remember a 20-character random password?
You don't. That's what password managers are for. You only need to remember one master password — the manager fills in the rest.