Character sets
~129 bitsof entropy · 88 chars in pool · 20 chars long
What this tool does
Free secure password generator -- create strong random passwords with custom length, entropy display, and memorable mode
How this cryptographically secure password generator works, what entropy means for password strength, and the best settings for different account types
This free secure password generator uses crypto.getRandomValues(), the browser's built-in cryptographically secure pseudorandom number generator (CSPRNG), to produce passwords with genuine cryptographic randomness. Unlike simple random password generators that use Math.random() -- a deterministic algorithm that can be predicted given its internal state -- crypto.getRandomValues() is seeded by your operating system's entropy pool, the same randomness source used for TLS session key generation, cryptographic nonces, and UUID tokens. Every character in every generated password is selected independently with equal probability from your chosen character set, producing results that are computationally indistinguishable from a theoretical ideal random source. Your passwords are generated entirely within your browser's JavaScript engine and are never transmitted, stored, or logged anywhere.
The tool provides real-time entropy estimation before you generate, showing you exactly how many bits of entropy your current settings will produce. Entropy is the mathematical measure of password unpredictability -- each bit doubles the number of possible passwords an attacker must try to brute-force yours. At 64 bits of entropy there are over 18 quintillion possible passwords; at 128 bits the number exceeds the estimated atoms in the observable universe, making brute-force computationally infeasible with any current or foreseeable technology. The entropy display updates live as you adjust the length slider and toggle character sets, so you can see precisely how each setting affects security before committing. The strength meter on each generated password independently classifies it from Very Weak to Very Strong based on its actual character composition and length.
Beyond the core random generator, this tool offers two additional modes designed for specific use cases. Memorable mode combines two randomly selected words from a curated list with a 4-digit number and a random symbol, producing passwords like BraveOak4821! that achieve approximately 58 bits of entropy while remaining genuinely typeable from memory -- ideal for Wi-Fi passwords, system login prompts, and device unlock codes. Bulk generation allows you to generate up to 20 unique passwords simultaneously with a single click, each independently random, which is essential for DevOps and system administration workflows requiring multiple service account credentials, API keys, or new employee passwords. The no-ambiguous characters mode removes visually confusing characters (0/O, 1/l/I) from the pool for any scenario where the password needs to be read and transcribed manually rather than copy-pasted from a password manager.
Features and capabilities
CSPRNG Security
Uses crypto.getRandomValues() -- the same cryptographic randomness source as TLS key generation and UUID tokens.
4-128 Character Length
Adjust password length from 4 to 128 characters with a live slider to match any platform's length requirements.
Four Character Types
Toggle uppercase A-Z, lowercase a-z, digits 0-9, and symbols independently to meet any password policy requirement.
No-Ambiguous Mode
Removes visually similar characters 0/O, 1/l/I for passwords that need to be read aloud or typed manually without errors.
Live Entropy Display
Real-time entropy estimate in bits updates as you change settings so you know the security level before generating.
Strength Meter
Per-password strength bar and label (Very Weak to Very Strong) with bit count, calculated from the actual generated output.
Memorable Mode
Random two-word capitalised combinations plus digits and symbol -- ~58 bits of entropy in a format humans can actually remember.
Bulk Generation
Generate up to 20 unique independently random passwords per click for batch provisioning or comparison.
Copy All
Export the entire generated batch to your clipboard as a newline-separated list for pasting into a password manager import template.
100% Client-Side
No server involved at any point -- all generation, strength calculation, and clipboard operations run locally in your browser.
No Rate Limits
Generate as many passwords as you need with no account, no API key, no rate limiting, and no data collection.
Guaranteed Complexity
Random mode ensures at least one character from each enabled character type appears in every generated password.
Examples
Password generator examples -- from 131-bit maximum security to weak legacy formats
Five realistic generation scenarios with settings, example output, entropy, and an explanation of when and why to use each configuration
Excellent20-character random password -- all four character types, ~130 bits of entropy
Settings: Length 20 · Upper + Lower + Digits + Symbols
Output: xK#9mP$2vL@nQ7wR!sB4
Entropy: ~131 bits
Strength: Very Strong
A 20-character password using all four character types achieves approximately 131 bits of entropy -- well above the 128-bit threshold considered computationally infeasible to brute force with any current or near-future technology. This is the recommended configuration for email accounts, banking, and password manager master passwords. Use this setting for any account where a breach would have serious consequences.
Excellent16-character password -- the practical sweet spot for everyday accounts
Settings: Length 16 · Upper + Lower + Digits + Symbols
Output: Rq7#mN2vKp@9wL$4
Entropy: ~105 bits
Strength: Very Strong
A 16-character mixed-character password with approximately 105 bits of entropy is the widely recommended standard for everyday accounts including streaming services, e-commerce, and social media. It is long enough to be immune to brute-force attacks and short enough to be generated and stored comfortably in any password manager. This is a sensible default for most users generating passwords for standard online accounts.
GoodMemorable password -- random words with digits and symbol for manual use
Mode: Memorable
Output: BraveOak4821!
Entropy: ~58 bits
Strength: Strong
A memorable password combining two randomly capitalised words with a 4-digit number and symbol achieves approximately 58 bits of entropy. While lower than a fully random character password, this is sufficient for accounts you need to type manually -- Wi-Fi passwords, device unlock codes, and system login prompts. The random word combination makes it genuinely memorable while the appended number and symbol satisfy most website complexity requirements.
GoodNo-ambiguous 16-character password -- safe to read and transcribe
Settings: Length 16 · No Ambiguous + Symbols
Output: 3xGhPm9Rk#nW7qB!
Entropy: ~101 bits
Strength: Very Strong
Enabling no-ambiguous characters removes 0/O, 1/l/I from the character pool, producing a password safe to read aloud or write by hand without transcription errors. With symbols included, entropy remains above 100 bits, making it suitable for high-value accounts. Use this mode when you need to share a password verbally, display it on a screen for manual entry, or type it into a device where copy-paste is unavailable.
Weak8-character digits-only password -- inadequate for any real account
Settings: Length 8 · Digits only
Output: 47829301
Entropy: ~27 bits
Strength: Very Weak
An 8-character digits-only password has only 27 bits of entropy and can be exhaustively cracked in under a second on any modern computer. This configuration is shown as an illustration of what not to use -- many legacy banking and PIN systems unfortunately still enforce this format. If any system requires you to use only digits, use the maximum allowed length and never reuse that password anywhere else.
FAQ
Frequently asked questions about password generators, entropy, and password security best practices
Common questions from users about how to generate strong passwords, what makes a password secure, and when to use random vs memorable passwords
Is this password generator cryptographically secure?
Yes -- this tool uses crypto.getRandomValues(), the browser's cryptographically secure pseudorandom number generator (CSPRNG), which is backed by your operating system's entropy pool. This is the same randomness source used to generate TLS session keys, cryptographic nonces, and UUID tokens. Unlike Math.random(), which uses a deterministic algorithm that can be predicted, crypto.getRandomValues() produces true cryptographic randomness that cannot be predicted or reproduced. Generated passwords are never transmitted to any server, never stored, and never logged -- all generation happens entirely in your browser's JavaScript engine.
How long should a generated password be for maximum security?
For most online accounts, 16 characters using uppercase, lowercase, digits, and symbols provides approximately 100 bits of entropy -- which is more than sufficient against any known brute-force attack with current or near-future computing power. For high-value accounts like email, banking, and password manager master passwords, use 20 or more characters to achieve 130+ bits of entropy. Never use fewer than 12 characters for any account that matters. Length is the single most impactful variable in password security -- a 20-character lowercase-only password is far stronger than an 8-character password with all four character types.
What is password entropy and how does it affect security?
Entropy measures how unpredictable a password is, expressed in bits. Each additional bit of entropy doubles the number of possible passwords an attacker must try to guess yours through brute force. A password with 64 bits of entropy has 2^64 possible values -- roughly 18 quintillion combinations. At 128 bits, the number of combinations exceeds the estimated number of atoms in the observable universe, making brute-force computationally infeasible with any current or foreseeable technology. Entropy depends on both the length of the password and the size of the character set used -- this tool displays the estimated entropy in bits before you generate so you can see the impact of your settings.
What does the no-ambiguous characters option do and when should I use it?
The no-ambiguous characters option removes characters that look visually identical or nearly identical in many fonts and contexts: the digit 0 (zero) and the letter O, the digit 1 (one), the lowercase letter l, and the uppercase letter I. It also removes the digit 6 and b in some implementations. This option is useful when you need to read a generated password aloud, write it by hand, type it manually into a device without copy-paste support, or share it verbally. For passwords that will only ever be pasted from a password manager directly into a login form, there is no reason to enable this option as it slightly reduces the available character pool and therefore the entropy of the generated password.
What is a memorable password and is it secure enough to use?
Memorable passwords in this tool combine two randomly selected capitalized words from a curated list with a 4-digit number and a random symbol -- producing patterns like BraveOak4821! or SwiftRiver0934#. The resulting passwords have approximately 50 to 60 bits of entropy, which is sufficient for low-to-medium-risk accounts where you need to type the password manually or remember it without a password manager. They are not recommended for email accounts, banking, or password manager master passwords, where a fully random 20+ character password provides significantly higher entropy. The advantage of memorable passwords is that humans can actually retain them, making them practical for system login prompts, Wi-Fi passwords, and device unlock codes.
Should I use a password manager instead of generating passwords manually?
Yes -- a password manager is strongly recommended for anyone generating secure passwords for multiple accounts. A password manager like Bitwarden (free, open source), 1Password, or Dashlane stores all your generated passwords in an encrypted vault, auto-fills them on websites, and can generate new passwords directly within the browser extension. The key security benefit is that a password manager enables you to use a unique randomly generated password for every single account without any of them being memorable or related. The single point of failure -- the master password -- can be secured with a very long high-entropy passphrase and two-factor authentication, making the overall system far more secure than any manual password management approach.
What is the difference between a random password and a passphrase?
A random password is a string of characters drawn from a defined character set (uppercase, lowercase, digits, symbols) with no inherent semantic structure -- for example 'xK#9mP$2vL@nQ7wR'. A passphrase is a sequence of multiple complete words chosen randomly from a large word list -- for example 'correct horse battery staple' from the famous xkcd comic. Passphrases rely on the large number of possible word combinations for their security, making them long but potentially memorable. Random character passwords achieve high entropy in fewer characters. The memorable mode in this tool is a hybrid -- it uses random words but adds numbers and symbols to increase entropy beyond what a pure 2-word phrase provides.
How many characters should I use for a password for different account types?
The recommended minimum lengths vary by how sensitive the account is and how it is protected. For throwaway or low-risk accounts (loyalty programmes, free trials, forums), 12 characters is acceptable. For standard accounts (e-commerce, streaming, social media), use 16 characters with all character types. For high-value accounts (email, banking, cloud storage, work accounts), use 20 or more characters. For your password manager master password, use a 6-word Diceware passphrase or a 24+ character random password -- this is the one password worth memorising. For API keys, database credentials, and service account passwords, use the maximum length the system supports, typically 64 to 128 characters.
Can I generate passwords for multiple accounts at once using bulk generation?
Yes -- use the Count slider to generate up to 20 unique passwords simultaneously in a single click. Each password in the batch is generated independently using crypto.getRandomValues() with the same settings, so they are all different and all equally random. Use the Copy All button to copy the entire batch to your clipboard as a newline-separated list, which you can then paste directly into a spreadsheet or password manager import template. Bulk generation is useful for DevOps and system administration workflows where you need to provision multiple service accounts or API keys simultaneously, or for creating unique passwords for a batch of new employee accounts.
Why should I never reuse the same password across multiple accounts?
Password reuse is the primary reason that a single data breach at one low-security website can cascade into account takeovers at the victim's bank, email, and workplace. When attackers obtain a breached password database, they immediately run automated credential stuffing attacks -- testing every username and password combination against every major platform simultaneously. If you use the same password for your email and your bank, and that password is leaked in a retail website breach, attackers will gain access to both. Using a unique randomly generated password for every single account completely eliminates credential stuffing as a threat vector for your accounts, because a password leaked from one site cannot unlock any other.
Related Security Tools
Need a disposable email address?Stop exposing your real address to sites you don't trust -- get a free instant throwaway email with no signup and no trace.
Get Free Temp Mail ->