About this tool
A password generator builds a random string from the character sets you enable — lowercase, uppercase, digits, and symbols. This one draws every character from the Web Crypto API's crypto.getRandomValues and selects indices with rejection sampling, so the result is uniformly distributed with no modulo bias. The strength readout shows Shannon entropy in bits, computed as length × log2(pool size): a 20-character password from an 88-character pool is roughly 129 bits, far beyond what a brute-force attack can exhaust.
Use it to mint a unique credential for every account, rotate a database or service password, or seed a password manager entry. Toggle off ambiguous characters (I, l, 1, O, 0) when a password may be transcribed by hand, keep "require every selected set" on so the output always satisfies complexity rules, or hit Generate 10 to produce a batch you can paste straight into a vault.
Entropy, not length, is what makes a password hard to crack — a long password built from one character set is far weaker than a short one drawing on every set.
Frequently asked questions
How are these passwords generated — are they truly random?
Each character is drawn from crypto.getRandomValues, the browser's cryptographically secure random source, using rejection sampling so no character is more likely than another. There is no seed or pattern an attacker could predict.
What does the entropy in bits mean?
Entropy measures how many guesses an attacker would need on average. It is calculated as length × log2(pool size), so each bit doubles the work: a 128-bit password takes about 2^127 guesses on average, which is computationally infeasible to crack.
Is it safe to generate passwords on a website?
Yes, because everything runs locally in your browser with JavaScript — no password is ever sent over the network, logged, or stored. You can confirm this by disconnecting from the internet and watching the tool keep working.