How long should my password be?

For online accounts protected by 2FA, 12–14 characters of mixed case + numbers + symbols is sufficient (≈80 bits of entropy). For high-value accounts (email, banking, password manager master password), use 16–20 characters or a passphrase of 5+ random words.

Are these passwords actually random?

Yes — they use crypto.getRandomValues from the Web Crypto API, which provides cryptographically secure random values from the operating system's CSPRNG. They are not generated by Math.random(), which is predictable and unsafe for passwords.

Are the generated passwords stored or sent anywhere?

No. Passwords are generated locally in your browser and never transmitted, logged, or stored. Once you close the tab, they are gone unless you copied them.

Home › Developer Tools › Password Generator

Password Generator

Generate strong, random, cryptographically secure passwords. Configure length and character sets — everything runs in your browser using crypto.getRandomValues.

Length: 16

Uppercase letters (A–Z)
Lowercase letters (a–z)
Digits (0–9)
Symbols (!@#$%^&* etc.)

Exclude visually similar (0 O o l 1 I i)
Exclude ambiguous symbols (<> " ' ` | \ /)
Require at least one from each selected set

How many to generate

Estimated entropy

—

What "strong" actually means

Password strength is measured in bits of entropy. Each random character drawn from an alphabet of N options contributes log₂(N) bits of entropy. So a 12-character password from a 94-character pool (uppercase + lowercase + digits + symbols) has 12 × log₂(94) ≈ 78.7 bits — far beyond practical brute-force reach.

Entropy	Practical strength
under 40 bits	Weak — crackable in hours by a single GPU
40–60 bits	OK for low-stakes accounts with rate limiting
60–80 bits	Strong — sufficient for almost all online accounts
80+ bits	Very strong — appropriate for password manager master keys

Tips for managing strong passwords

Use a password manager. 1Password, Bitwarden, KeePassXC, or your browser's built-in manager. You only need to remember the master password.
Use unique passwords for every account. Reuse is the single biggest cause of breach-driven account takeovers.
Turn on 2FA wherever possible. A leaked password is much less dangerous if a second factor is required to log in.
Don't email or text your passwords. Use the password manager's secure share feature, or share the master password in person.

Frequently asked questions

Why is the "every set" checkbox useful?

Without it, a 12-character random password could in theory contain only lowercase letters (very low probability, but possible). The checkbox guarantees the password contains at least one uppercase, one lowercase, one digit, and one symbol — meeting the most common password complexity rules.

Can I trust this more than a random "password generator" website?

The math is the same as long as the source of randomness is good. This tool uses crypto.getRandomValues, which delegates to the operating system's secure RNG. To be sure no one tampered with the page, you can read the source (View Source in your browser) before generating, or run it offline.

Are passphrases (5 random words) better than random characters?

For a given strength, passphrases are generally longer but easier to type. Five truly random words from a 7,776-word dictionary have 64.6 bits of entropy — roughly equivalent to a 10-character symbol-rich password. We may add a passphrase generator in a future update.