MT
My Toolbox

Password Generator: Create Strong Random Passwords Instantly

Generate passwords that are actually hard to crack. Pick your length, choose your character types, and get a cryptographically random result in one click. Everything happens in your browser. We never see your passwords.

Password Settings
Configure your password requirements
864
Generated Password
Your secure password

Tip: Use at least 16 characters with a mix of uppercase, lowercase, numbers, and symbols for maximum security.

Learn More

How Password Security Actually Works

Password strength comes down to one thing: entropy, the number of possible combinations an attacker has to try. A 12-character password using lowercase only has about 56 bits of entropy (26^12 combinations). Add uppercase, numbers, and symbols, and that same 12 characters jumps to about 79 bits (95^12). That's the difference between crackable in hours and crackable in centuries.

The math is simple: entropy = length × log2(character pool size). A 16-character password with the full 95-character ASCII set gives you about 105 bits of entropy. For reference, Bitcoin private keys use 256 bits. Your Netflix password doesn't need to be that strong, but your master password should be at least 80+ bits.

NIST Special Publication 800-63B (the US government's digital identity guidelines, last updated 2024) dropped the old "change every 90 days" advice. Their current recommendation: make passwords long (minimum 8, prefer 15+), don't force arbitrary complexity rules, and check against known breached password lists. Length beats complexity every time.

How to Use

  1. 1Set your length. 16 characters is a good default for most accounts.
  2. 2Toggle character types on/off. Leave all four on unless a site has weird restrictions.
  3. 3Hit Generate. The password is created using crypto.getRandomValues(), not Math.random().
  4. 4Copy it and store it in your password manager. Don't try to memorize random passwords.

When You'll Use This

Setting up a new account

Generate a unique 16-20 character password, paste it into the signup form, and save it in your password manager. Takes 10 seconds and you never have to think about it again.

Creating API keys and tokens

Need a random string for an API secret, webhook signing key, or JWT secret? Generate a 32-64 character string with all character types. It's not technically a "password" but the generation method is the same.

WiFi password for guests

Generate a 10-12 character password without ambiguous characters (no 0/O, 1/l/I) so people can actually type it from a printed card on your router.

Replacing a breached password

Got a "your password appeared in a data breach" notification from HaveIBeenPwned or your browser? Generate a replacement immediately. Don't just add a "2" at the end of the old one.

What Actually Matters for Password Security

1

Length > complexity, always

"Tr0ub4dor&3" (11 chars, looks complex) has about 28 bits of entropy because it's based on a dictionary word with predictable substitutions. "correct horse battery staple" (28 chars, all lowercase) has about 44 bits. A random 16-char string with all character types? Around 105 bits. Don't confuse "hard to remember" with "hard to crack."

2

Use a password manager. Seriously

If you're generating random passwords (and you should be), you can't memorize them. Use 1Password, Bitwarden, or KeePass. Your master password is the ONE password you memorize. Make it a long passphrase (5+ random words).

3

Never reuse passwords across sites

When LinkedIn gets breached (it did, 117 million passwords leaked in 2012), attackers try those credentials on every other site. If your LinkedIn password was also your Gmail password, you just lost your email. Unique passwords per site is non-negotiable.

4

Enable 2FA on anything important

Even a perfect password can be phished. Two-factor authentication (TOTP apps like Authy, or hardware keys like YubiKey) means a stolen password alone isn't enough. Enable it on email, banking, and cloud accounts at minimum.

Example Outputs

Standard strong password (16 chars, all types)

Good for most online accounts. ~105 bits of entropy.

Input

Length: 16, Uppercase: ✓, Lowercase: ✓, Numbers: ✓, Symbols: ✓

Output

k7#Qm9$vLx2&pN4w

WiFi-friendly password (12 chars, no ambiguous)

Easy to read and type from a printed card. Excludes 0/O/l/1/I.

Input

Length: 12, Uppercase: ✓, Lowercase: ✓, Numbers: ✓, Symbols: ✗, Exclude ambiguous: ✓

Output

Kx7mR4nP9wBt

Limitations

  • Generated passwords are not stored anywhere. If you close the tab without copying, the password is lost forever.
  • Randomness quality depends on your browser crypto.getRandomValues() implementation. All modern browsers provide cryptographically secure randomness.
  • Cannot check generated passwords against breach databases (like HaveIBeenPwned) — it only generates, not validates.
  • Maximum length limited to 128 characters. Passphrase generation (word-based) is not supported.

Features

  • Uses crypto.getRandomValues(), not Math.random() (which is predictable)
  • Adjustable length from 8 to 64 characters
  • Toggle uppercase, lowercase, numbers, symbols independently
  • Strength meter shows actual entropy in bits
  • One-click copy. Password never touches your clipboard history
  • Works offline after page load. Zero network requests

Frequently Asked Questions

How long should my password be in 2026?

16 characters minimum for important accounts (email, banking). 12 is acceptable for low-value accounts. If a site caps you at 8 characters (some banks still do this), that's a red flag about their security practices, but use the max they allow with all character types.

Is a passphrase better than a random password?

For your master password (the one you memorize), yes. "correct horse battery staple" style passphrases are easier to remember and can be very strong if you use 5+ truly random words. For everything else, let your password manager generate and store random strings.

Why does the strength meter say "weak" for my 8-character password?

An 8-character password with all character types has about 52 bits of entropy. Modern GPUs can test billions of hashes per second. At that rate, 52 bits can be brute-forced in hours to days depending on the hashing algorithm. 80+ bits is where you want to be.

Can this tool generate passwords that meet specific site requirements?

Yes. Toggle the character types to match whatever rules the site enforces. If they require "at least one uppercase, one number, one symbol," keep all types enabled and regenerate until the output satisfies the rules (usually first try with 12+ chars).

Should I still change passwords every 90 days?

No. NIST dropped that recommendation years ago. Forced rotation leads to weaker passwords (people just increment a number). Change passwords only when: (1) you suspect a breach, (2) a service notifies you of a compromise, or (3) you shared it with someone who no longer needs access.

Are the passwords generated here stored or logged anywhere?

No. Passwords are generated using the browser's crypto.getRandomValues() API, a cryptographically secure random number generator that runs entirely in your browser. Nothing is transmitted to our servers. The page doesn't even have a server-side function that could receive your generated passwords. You can generate passwords while offline after the initial page load.

Last reviewed:

Your Privacy

All password generation happens entirely in your browser using crypto.getRandomValues(). No passwords are uploaded, stored, or logged anywhere. Generated passwords exist only in your browser memory until you close the tab.

In-Depth Guide

Password Security Best Practices in 2026

What actually makes a password strong in 2026, based on NIST 800-63B, real breach analysis, and how modern cracking hardware works.

Read guide

Tips & Related Workflows