What makes a strong password
Strength comes from length and unpredictability. A 16-character random string mixing all four character sets has roughly 100 bits of entropy — far beyond what an offline attacker can brute force. Reusing passwords across sites is more dangerous than slightly weaker ones, so always pair this tool with a password manager.
Entropy reference
| Bits | Strength | Use for |
|---|---|---|
| < 40 | Weak | Throwaway accounts only |
| 40–60 | Moderate | Low-value accounts behind 2FA |
| 60–80 | Strong | Most online accounts |
| 80–100 | Very strong | Email, banking, password manager |
| 100+ | Excellent | Master passwords, encryption keys |
How this generator works
The generator pulls random bytes from window.crypto.getRandomValues — the browser's cryptographically-secure source. Each character is selected by rejection sampling so that every character in the chosen set is equally likely. With "include at least one of each set" turned on, the generator regenerates until the result satisfies the constraint, then shuffles the characters to avoid patterns.
FAQ
Is the password sent anywhere?
No. Generation happens entirely in your browser. The page does not log, store, or transmit anything. Once you close the tab, the password is gone unless you saved it.
How long should I make passwords?
16 characters with all four sets is enough for nearly any account. For your password manager master password, aim for 20+ characters or use a long passphrase.
Why are there sometimes only digits or only letters?
Because all characters are picked uniformly at random, occasionally a short password will miss a set. Enabling "include at least one of each selected set" guarantees at least one of every chosen category.
What if I cannot type a symbol?
Disable the symbols set, or enable "exclude ambiguous symbols" to keep only the most common ones (! @ # $ % & * _ -).