Password Generator
Generate strong, random passwords with customizable length and character sets. Cryptographically secure, client-side, free.
Configure options above and click Generate
How to Use
- Set your desired password length using the slider (4–128 characters).
- Toggle character sets: uppercase, lowercase, numbers, and symbols.
- Select how many passwords to generate at once.
- Click Generate and copy individual passwords or all at once.
What Makes a Strong Password?
A strong password combines length, randomness, and character diversity. The strength of a password is measured by its entropy — the number of bits of randomness it contains. A 16-character password using all character types (uppercase, lowercase, digits, symbols) has approximately 105 bits of entropy, which would take billions of years to brute-force with current technology.
Password Security Tips
- Use a unique password for every account — never reuse passwords
- Store passwords in a reputable password manager (1Password, Bitwarden, KeePass)
- Enable two-factor authentication (2FA) wherever possible
- Avoid dictionary words, personal information, and common patterns
- Longer passwords are always better — prefer 16+ characters
How This Tool Works
This generator uses the crypto.getRandomValues() Web API, which provides cryptographically secure pseudo-random numbers. Unlike Math.random(), which is predictable and unsuitable for security, the Web Crypto API draws from your operating system's entropy pool, ensuring true randomness.
Understanding Password Entropy
Password strength is measured in bits of entropy — the logarithm (base 2) of the number of possible combinations. Each character adds entropy proportional to the size of the character set used. With all four character types enabled (uppercase, lowercase, digits, symbols — roughly 95 characters total), each character contributes about 6.6 bits of entropy. A 16-character password with all types has approximately 105 bits of entropy.
For reference: 40 bits of entropy can be cracked in seconds. 60 bits might take hours to days. 80 bits is considered strong against offline attacks. 100+ bits is effectively uncrackable with current technology. The NIST (National Institute of Standards and Technology) recommends passwords with at least 64 bits of entropy for most applications.
Why Random Passwords Beat Human-Chosen Passwords
Humans are poor random generators. Studies show that human-chosen "random" passwords follow predictable patterns: capitalizing the first letter, placing numbers at the end, and using common substitutions (@ for a, 3 for e, 1 for l). Attackers know these patterns and optimize their cracking dictionaries accordingly. A password like "P@ssw0rd123!" looks complex but falls quickly to a dictionary attack with common substitution rules.
Machine-generated passwords using cryptographic randomness have no patterns to exploit. The only attack vector is brute force — trying every possible combination — which becomes impractical with sufficient length and character diversity.
Password Managers
Since randomly generated passwords are impossible to memorize, a password manager is essential. Leading options include 1Password (excellent UX, family/team plans), Bitwarden (open source, free tier available), and KeePass (offline-only, fully open source). All three use AES-256 encryption to protect your password vault. You only need to memorize one strong master password to unlock all your credentials.
Special Character Restrictions
Some websites and services restrict which special characters are allowed in passwords. Banking sites, older enterprise systems, and Wi-Fi passwords often reject certain symbols. If your generated password is rejected, try regenerating with only the allowed characters, or simply increase the length while using fewer character types. A 24-character lowercase-only password (with 113 bits of entropy) is stronger than a 10-character password with all four types (66 bits).
Related Tools
Generate unique identifiers with the UUID Generator. Encode passwords for config files with the Base64 Encoder. Share passwords via QR Code. Hash passwords with the Hash Generator. Test password validation patterns with the Regex Tester. Generate placeholder data with Lorem Ipsum.
Frequently Asked Questions
- How secure are the generated passwords?
- Very secure. Passwords are generated using the Web Crypto API (crypto.getRandomValues), which provides cryptographically secure random numbers. This is the same randomness source used by password managers and security software.
- Is my password sent to any server?
- No. All passwords are generated entirely in your browser. No data is transmitted over the network. You can verify this by disconnecting from the internet and using the tool — it works offline.
- How long should my password be?
- At minimum 12 characters, but 16 or more is recommended. Each additional character exponentially increases the number of possible combinations. A 16-character password with mixed case, numbers, and symbols has over 10^30 possible combinations.
- Should I include symbols in my password?
- Yes, when possible. Including uppercase, lowercase, numbers, and symbols maximizes the character set size, making brute-force attacks significantly harder. However, some systems restrict which characters are allowed — in that case, use a longer password with fewer character types.
- Can I use these passwords for real accounts?
- Yes. The passwords are generated with cryptographic randomness and are suitable for production use. However, you should store them in a password manager rather than trying to memorize them.
Code Examples
Learn how to use this tool programmatically in your favorite language.
Use this tool from AI agents.
The CodeTidy MCP Server lets Claude, Cursor, and other AI agents
use this tool and 46 others directly. One command: npx @codetidy/mcp