Skip to content
snip tools

Strong password generator

Create strong, random passwords with a cryptographically secure generator that runs entirely in your browser.

Runs 100% in your browser
16
Character types

How to generate a strong password

  1. Set the length. Drag the slider to choose how many characters (16+ recommended).
  2. Choose character types. Toggle uppercase, lowercase, numbers and symbols.
  3. Generate and copy. Click Generate for a fresh password, then Copy it into your password manager.

What "strong" actually means: entropy

A password's resistance to guessing is measured in bits of entropy. Each bit doubles the number of guesses an attacker must make, so the relationship is exponential: 50 bits is roughly a thousand-trillion possibilities, and each extra 10 bits multiplies that by about a thousand, so 80 bits is on the order of a billion times larger again. The entropy of a random password is simply the length multiplied by the bits-per-character of its alphabet — about 6.5 bits per character with all four sets enabled. That is why this tool reports entropy in bits as you change the settings: it turns a vague feeling of "looks complex" into a number you can compare. As a rule of thumb, under ~50 bits is weak, 80+ is strong, and a random 16-character password from all four sets lands around 100 bits — beyond the reach of any realistic offline cracking rig.

Length beats complexity

The most common mistake is reaching for symbols and capital letters to feel secure while keeping the password short. But entropy grows with length far faster than with alphabet size, because every added character multiplies the whole search space. Going from 12 to 20 characters adds far more strength than swapping a letter for @. It is also why a several-word passphrase can match or beat a short "complex" password while staying memorable enough to type — a good option for the handful of passwords you must remember, like your device login or the master password to your password manager.

Why randomness has to be cryptographic

Strength only holds if the password is genuinely unpredictable. Passwords people invent lean on words, dates, names and keyboard runs, and common substitutions like p@ssw0rd are the first things cracking dictionaries try — so a "complicated-looking" human password often has far less real entropy than its length suggests. This generator draws every character from the Web Crypto API (crypto.getRandomValues), a cryptographically secure source, rather than the predictable Math.random. There is no pattern for an attacker to model, so the full length translates into real, countable entropy.

Generate it locally, store it in a manager

Everything here happens in your browser — the password is generated on your device and never transmitted, logged or stored. The right home for what you generate is a password manager: it lets you keep a unique password on every site, which is the single most effective defence against credential-stuffing attacks (where one site's breach is replayed against your other accounts). Pair these passwords with the passphrase generator for memorable master passwords, and the hash generator when you need to checksum or hash a value rather than create a credential.

Frequently asked questions

Are these passwords generated privately?
Yes. Passwords are generated locally in your browser using the Web Crypto API (crypto.getRandomValues), a cryptographically secure random source. Nothing is sent to a server, logged, or stored — the password exists only on your device.
How long should my password be?
For most accounts, 16+ characters with mixed character types is strong. For high-value accounts (email, banking, your password manager itself) use 20+, or use a passphrase. Length matters more than complexity against modern cracking — adding a character helps more than adding a symbol.
What makes a password strong?
Entropy — the number of equally likely possibilities an attacker must search. Both length and a larger character set increase it. This tool shows the estimated entropy in bits so you can compare options; under ~50 bits is weak, 80+ bits is strong, and 100+ is far beyond what offline cracking rigs can brute-force.
Is a longer password or more symbols better?
Length, almost always. Each extra character multiplies the search space by the size of the character set, so going from 12 to 20 characters adds far more entropy than sprinkling in a few symbols. A long all-lowercase passphrase can beat a short "complex" password.
Why use this instead of making one up myself?
Humans are predictable — we lean on words, dates, keyboard patterns and common substitutions (p@ssw0rd), all of which cracking tools model. A cryptographically random generator has no pattern to exploit, so every bit of its length counts toward real strength.
What does "exclude look-alike characters" do?
It removes easily confused glyphs (capital I, lowercase l, digit 1, capital O, digit 0). Useful when a password may be read aloud or typed from a screen. It slightly shrinks the character set, so the entropy meter updates to reflect the small trade-off.
Should I reuse passwords?
Never. One breached site then unlocks every account sharing that password (credential stuffing). Use a unique password per site and a password manager to store them. This generator produces a fresh random password each time you click Generate.