How is randomness generated?

Through the browser's built-in cryptographically secure random number generator (the Web Crypto API), seeded from OS entropy. Each character is independently chosen, then a Fisher-Yates shuffle (also driven by the same secure RNG) randomizes the order so the positions of mandatory characters do not leak any structure.

What does 'entropy in bits' mean?

Entropy measures unpredictability. Each bit doubles the number of possible passwords an attacker has to try. 60 bits ≈ 1 in 1.15 × 10^18, already infeasible for offline brute-force without a major GPU farm. 80 bits is comfortable for almost everything. 120+ bits is paranoia territory. The bar in the UI is calibrated against current-day attacker capability.

Should I check 'Exclude ambiguous'?

Only if the password will need to be read aloud, written down, or typed by hand (not pasted). The ambiguous set is `I l 1 O 0`: characters that look almost identical in many fonts (capital I vs lowercase L vs digit 1, capital O vs digit 0). Excluding them avoids 'is that a 1 or an I?' mistakes at the cost of a slightly smaller character pool. For passwords you will only ever paste into a form, leave it off so the entropy stays as high as possible.

Why guarantee one character from each enabled set?

To satisfy most password policies (`must contain uppercase + lowercase + number + symbol`). Pure random sometimes produces all-letters or all-digits strings that fail the policy. The tool seeds the first N characters from each selected pool, then fills the rest randomly, then shuffles, so the result always covers every selected set.

Where is the password generated?

Entirely in your browser. The banner above the form confirms it. Nothing is sent to a server, no logging of generated passwords. For a unique random identifier (UUID), use UUID Generator.

Free, no signup, no rate limit. Length 4 to 128 characters.

Utility

Password Generator

Secure password generator

Input

Password Length: 16

Min: 4, Max: 128

Strength:Weak (0 bits)

🔒 Client-Side SecurityEverything is processed locally in your browser. Your generated passwords are never sent to any server.

Generate cryptographically strong passwords locally. Adjustable length and complexity settings.

Terminal

Console ready. Execute a command to see output...

About Password Generator

Password Complexity & Brute Force

In the modern era, "password123" is cracked in nanoseconds. Security depends on entropy (randomness).

Time to Crack (RTX 4090 GPU)

8 chars (Lower): Instant.
8 chars (Lower+Upper+Num): Minutes.
12 chars (Complex): Centuries.

Best Practices

Length beats complexity: A 20-character phrase is often safer than an 8-character jumble.
Unique salts: Never reuse passwords.
MFA: Multi-factor authentication is your backup parachute.

How to use Password Generator

Pick a length
Slider or number input, 4 to 128 characters. Longer is stronger, watch the entropy bar.
Toggle character sets
Uppercase, lowercase, numbers, symbols. Optionally tick Exclude ambiguous (drops I l 1 O 0) if the password will be read or typed by hand.
Confirm the strength
The entropy meter shows bits and a Weak / Moderate / Strong / Very Strong label. 80+ bits is the safe baseline.
Hit Generate Password
The new password appears in the terminal panel. Copy it directly, nothing is stored.

Frequently Asked Questions

: Through the browser's built-in cryptographically secure random number generator (the Web Crypto API), seeded from OS entropy. Each character is independently chosen, then a Fisher-Yates shuffle (also driven by the same secure RNG) randomizes the order so the positions of mandatory characters do not leak any structure.