Password generator

What makes a password strong?

Two things, mostly: length and randomness. A password is hard to crack when there are so many equally-likely possibilities that no computer can try them all in a reasonable time. Every extra character or word multiplies that number, and choosing truly at random — not a name, a date, or a keyboard pattern — keeps every one of those possibilities in play.

The usual advice still holds: at least 16 characters, a mix of upper- and lower-case letters, numbers and symbols, and a different password for every account. The one rule people skip is the last one — reuse is what turns a single leaked website into a break-in everywhere else.

Random characters or a passphrase?

A random character password like k7$Rm2!qXvp9 packs the most strength into the fewest characters. It is ideal for accounts you let a password manager remember for you, where you never actually type it.

A passphrase like brave-otter-maple-stone is a few random words strung together. It is longer, but far easier to read aloud, remember and type by hand — perfect for the one password you do have to memorise, such as the master password on your password manager or your device login. Four or five random words is plenty for most uses.

How this generator works

Everything happens in your browser. The randomness comes from crypto.getRandomValues, the same cryptographically secure source browsers use for real security work — not the predictable Math.random. Characters are picked with rejection sampling so every option is exactly equally likely, with no bias toward the start of the alphabet.

Your generated passwords are never sent to a server, saved, or logged. Close the tab and they are gone. You can switch off your internet connection and the tool still works — proof that nothing is leaving your device.

A few good habits

• Use a password manager. Generate a unique password for every account and let the manager remember them, so you only memorise one strong master passphrase.
• Turn on two-factor authentication wherever it is offered. Even a perfect password is stronger with a second step.
• Make the important ones longer. Your email and your password manager protect everything else — give them the strongest passwords you have.
• Never reuse a password across sites, and change any password that may have been part of a breach.

Common questions

Are these passwords safe to use?

Yes. Each one is generated on your own device with your browser's cryptographically secure random generator, and nothing is sent anywhere or stored. No one else ever sees what you make here.

How long should a password be?

Aim for at least 16 characters for most accounts, and as many as a site allows for the important ones. For something you have to type, a four- or five-word passphrase is both long and memorable.

What is a passphrase, and is it more secure?

It is a password made of several random words, like brave-otter-maple-stone. A handful of truly random words is long, hard to guess, and far easier to remember than a jumble of symbols. Add a number if a site requires one.

What does the strength bar measure?

It estimates entropy — the bits of randomness in the password — from its length and the size of the character or word set. Below about 45 bits is weak, 60 or more is strong, and 80 or more is very strong.

Why skip look-alike characters?

The lowercase l, the number 1, the capital I, the capital O and the number 0 are easy to confuse when you read or re-type a password. Turn on “Skip look-alikes” to leave them out for cleaner, error-free typing.