Secure Password Generator
Generate strong random passwords using the browser's cryptographic random source. Adjust length, character sets, and lookalike exclusions. Nothing is logged or transmitted.
About this tool
WRRK's password generator pulls entropy from the browser's WebCrypto API — the same cryptographically secure source used by TLS, session cookies, and password managers. It uses rejection sampling when picking each character so every glyph has exactly equal probability (a naive random % lenapproach subtly biases passwords and lowers real entropy). When multiple character sets are enabled, at least one character from each is guaranteed in the output, then the result is shuffled — so a password with “digits” selected always contains a digit.
The strength meter computes length × log₂(alphabet size) which is the upper bound on entropy for fully random passwords (which these are — there's no dictionary leakage like with passphrases). Aim for 80+ bits for routine accounts, 120+ for master passwords or long-term secrets. Nothing is logged or sent — generation is purely local, so this tool is safe for generating production credentials.
How to generate a strong password (5 steps)
- Set the length. Drag the slider to your target length. 16+ is the modern minimum, 20+ is a comfortable default, 32+ for master passwords.
- Pick character sets. Toggle uppercase, lowercase, digits, and symbols. Each enabled set is guaranteed to appear at least once in the result.
- Optional: exclude lookalikes. Enable 'exclude ambiguous' if a human has to type the password — removes 0/O, 1/l, I, etc.
- Click Generate. A new password appears instantly using crypto.getRandomValues() — the same secure source used by TLS.
- Copy or bulk-generate. Copy the result with one click, or use 'Generate 10 passwords' for a bulk batch.
Use cases
- Creating new account passwords stored in a password manager
- Generating API keys, webhook secrets, or service tokens
- Producing recovery codes or one-time backup keys
- Setting up CI/CD secrets and environment variables
- Bootstrapping local development databases and test users
- Generating WiFi passwords for new networks
- Creating temporary share-link passwords for documents
Frequently asked questions
+−Is this password generator secure?
Yes. The tool uses crypto.getRandomValues() — the browser's cryptographically secure random number generator, the same source used for TLS keys and session tokens. We use rejection sampling to keep the distribution uniform, so every character has an equal chance of appearing. No password is logged, transmitted, or stored.
+−What length should my password be?
16 characters with a mixed alphabet is the modern minimum for any account that matters. 20 characters is a comfortable default. For master passwords, encryption keys, or long-term secrets, use 32+ characters. Length matters more than character variety — a long lowercase-only password is stronger than a short one full of symbols.
+−What does 'bits of entropy' mean?
Entropy measures how unpredictable a password is. Each bit doubles the search space — 50 bits means 2^50 possible passwords. Below 50 bits is weak, 80+ is strong, 120+ is very strong. The meter computes length × log2(alphabet size), which is the upper bound for fully random passwords (which these are).
+−Should I exclude ambiguous characters?
Only if a human will type the password from a screen or printout. 0/O, 1/l/I are visually confusable. For passwords stored in a manager and pasted, leave them in — every excluded character reduces entropy slightly. For one-time codes shown to a user, definitely exclude.
+−Is the password sent to a server?
Never. Generation happens entirely in your browser — no network calls, no logging, no analytics on the password value. You can generate a master password here without worrying about it leaving your device.
+−Can I generate multiple passwords at once?
Yes. Click 'Generate 10 passwords' for a bulk batch — useful for setting up multiple service accounts, generating recovery codes, or seeding test data. Click 'Copy all' to grab the whole list.
+−Should I use a passphrase instead?
For passwords you have to memorize (your password manager master password, a laptop login), a 5-7 word passphrase from a long word list is easier to remember and just as strong. For passwords stored in a manager, random characters from this generator are perfect — there's no reason to memorize them.