Password Generator (cryptographically secure, with strength meter)
Builds passwords using crypto.getRandomValues — the same source banks use, not Math.random. Adjust length and character classes; the entropy meter shows how strong the result actually is.
How it works
Why this generator is actually secure
Most 'password generators' on the web use Math.random(), which is not cryptographically secure — its output can be predicted by an attacker who sees a few prior values. This generator uses crypto.getRandomValues from the Web Crypto API, the same primitive that backs HTTPS sessions and OS-level keychains. Each character is drawn from a uniform distribution over the selected alphabet.
The generation happens entirely in your browser. The password never travels over the network and never touches our servers. Even if our domain were compromised, an attacker would have nothing to steal because nothing is stored.
How the strength meter works
The strength label is computed from entropy: bits = log₂(alphabet_size) × length. A 10-character lowercase-only password has log₂(26) × 10 ≈ 47 bits — vulnerable to a determined offline attacker. A 16-character password using all four character classes has about 105 bits — strong enough for most uses. The bands are: <50 weak, 50-80 medium, 80-128 strong, ≥128 excellent.
These thresholds correspond roughly to: weak = guessable in days by a moderate attacker; medium = takes a botnet years; strong = no realistic attacker today; excellent = comfortable margin against future attackers including quantum considerations.
Length beats complexity
The math is unforgiving here: adding one character to your password roughly doubles the search space (depending on the alphabet). Adding one more character class only slightly enlarges it. A 20-character lowercase password has more entropy than a 12-character mixed-case-symbols password, and is easier to type. If you'd rather memorize, pick four random words from a 7000-word list — that's 51 bits, similar to a strong 8-character mixed password.
The 'avoid ambiguous' option excludes characters that look like other characters in many fonts (0/O, I/l/1). This makes the password slightly weaker but easier to read aloud or transcribe. Use it when you might need to type the password from a printed list.
Frequently asked questions
›Is this generator really secure?
Yes. We use the Web Crypto API's secure random source, not Math.random(). The browser-vendor-supplied implementation is audited and identical to what underlies HTTPS.
›Does the password leave my browser?
Never. Generation, entropy calculation, and copy-to-clipboard all happen locally. We don't have a server endpoint to receive it even if we wanted to.
›Is 16 characters enough?
For online accounts, yes — almost always. For password manager master passwords or encryption keys, go for 24+ characters or use a 6-word passphrase.
›Why does the strength meter not love my long password?
It only knows what character classes you enabled. If you enabled lowercase only, the alphabet is just 26 — long passwords are still strong but not as fast to grow.
›What does 'bits of entropy' mean?
It's the log₂ of the number of possible passwords your settings could produce. 80 bits ≈ 1.2 × 10²⁴ possibilities — far beyond brute-force reach today.
›Should I include symbols?
Yes when allowed. Each symbol roughly adds the entropy of a number plus a letter combined. Some old sites reject them; if so, increase length to compensate.
›Is 'avoid ambiguous' worth using?
Use it only when you need to read or type the password manually. Keep it off for password managers — readability cost is wasted there.
›Can the same password be generated twice?
Theoretically yes, but with even 50 bits of entropy the chance per pair of generations is 1 in 2⁵⁰ ≈ 10¹⁵. Practically impossible.
Related tools
Last updated: