Are the generated passwords stored anywhere?

No. All password generation happens entirely in your browser using the Web Crypto API. Nothing is sent to any server, stored in any database, or logged anywhere. As soon as you close the tab, the gene

What makes a password strong?

Password strength depends on length and entropy (unpredictability). A 16-character password using uppercase, lowercase, numbers, and symbols has approximately 95^16 possible combinations — more than 4

Should I use a passphrase instead of a random password?

Passphrases (4–5 random words like 'correct-horse-battery-staple') are excellent for passwords you need to type frequently, like your computer login. Random character passwords are better for accounts

Password Generator

Generate secure passwords in three modes: random characters, memorable passphrases (word-word-word style) or numeric PINs. See entropy bits and estimated crack time for every password. Uses the browser's cryptographic random number generator — your passwords are never sent to a server.

password-generator.tool

Generating...

—

Length 16

6163264

Uppercase (A–Z) Lowercase (a–z) Numbers (0–9) Symbols (!@#$%) Exclude ambiguous (0,O,l,1)

Three Password Types

Random — generates a password using a mix of uppercase letters, lowercase letters, numbers and symbols. Fully customisable length (6–64 characters) and character set. Best for accounts where you will use a password manager to store and autofill — you don't need to remember it.

Memorable Passphrase — generates 3–6 random common words joined by a separator (e.g. forest-hammer-silver-42). Much easier to remember than random characters while still being cryptographically strong. Recommended by NIST for passwords you need to type from memory.

PIN — generates a numeric-only PIN from 4–12 digits. Used for device unlock codes, ATM PINs and two-factor authentication backup codes.

Entropy and Crack Time

Every generated password shows its entropy in bits — a measure of how unpredictable the password is. A 16-character random password with all character types has approximately 105 bits of entropy. The crack time estimates how long it would take a modern GPU cluster running 10 billion guesses per second to brute-force the password on average. 80+ bits gives crack times measured in billions of years against current hardware.

Truly Random, Never Stored

This generator uses crypto.getRandomValues() — the browser's cryptographically secure random number generator, the same API used by security software. Your passwords are generated entirely in your browser and are never transmitted to any server. No password you generate here is logged, stored or accessible to anyone other than you.

Frequently Asked Questions

For most accounts, 16 characters with mixed uppercase, lowercase, numbers and symbols gives approximately 100 bits of entropy — enough to resist brute-force attacks for billions of years with current hardware. NIST guidelines recommend at least 8 characters minimum, but 16+ is strongly preferred. For high-value accounts (banking, email, password manager master password), use 20+ characters or a 5-6 word passphrase.

A passphrase combines random common words, like "forest-hammer-silver-42". The security comes from the randomness of word selection across a large word pool, not from complexity. A 4-word passphrase drawn from a 7,776-word dictionary (as in Diceware) has approximately 51 bits of entropy — comparable to a 9-character random password. A 5-word passphrase has 64 bits. Passphrases are recommended by NIST and security researchers for passwords you must type or remember.

Humans are terrible at creating random passwords. We gravitate toward patterns, words, dates and keyboard walks like "qwerty123". Studies show that user-created passwords cluster heavily around a small set of common structures, making them vulnerable to dictionary and rule-based attacks. A generator using cryptographic randomness eliminates this predictability entirely. Even if an attacker knows you used this tool, they gain no advantage because each output is independently random.

Ambiguous characters are letters and numbers that look similar and cause confusion when reading or typing: 0 (zero) and O (capital o), 1 (one) and l (lowercase L) and I (capital i). When you need to type a password manually, excluding these prevents transcription errors. If you store passwords in a password manager and use autofill, there is no need to exclude them.

Yes. The generator runs entirely in your browser using JavaScript's crypto.getRandomValues() API, which is the same cryptographic random source used by security software. No passwords are transmitted to any server. The page has no tracking or analytics that could capture generated passwords. For maximum safety, you can also open the page, disconnect from the internet, generate your passwords, and reconnect — the tool works fully offline once loaded.

Password Generator

Three Password Types

Entropy and Crack Time

Truly Random, Never Stored

Frequently Asked Questions

Related Tools