Password Generator
Utility Tools
Generate cryptographically strong, random passwords. Adjustable length (4–128), character set toggles, ambiguous-character exclusion, and zxcvbn strength scoring.
Runs entirely in your browserAbout Password Generator
Strong passwords are the difference between an account staying yours and getting compromised. The two things that matter for strength are randomness (using a cryptographic random source, not `Math.random`) and length (longer beats more character sets — a 20-character lowercase password is far stronger than a 10-character one with all four sets). This generator uses `crypto.getRandomValues` (the same Web Crypto primitive WebAuthn uses) with rejection sampling to avoid modulo bias.
You can produce up to 50 passwords at once, each with its own zxcvbn strength score (the same library Dropbox uses for their password meter). Toggle the four character sets, exclude visually ambiguous characters (0/O, 1/l/I) to avoid transcription errors, and optionally require at least one character from each enabled set. All generation happens locally — passwords never travel over the network, never enter a server log, never leave your browser memory.
How to use
- 1
Pick the length
Use the Length slider (4–128). For most accounts, 16+ characters is excellent. For sensitive accounts, go 20+.
- 2
Choose character sets
Toggle A–Z, a–z, 0–9, and Symbols. More sets = larger keyspace per character, but length usually contributes more to strength than set count.
- 3
(Optional) Exclude ambiguous characters
Removes 0, O, 1, l, I, and a few others. Useful when you'll transcribe the password by hand or read it aloud.
- 4
(Optional) Require one of each set
Guarantees at least one character from each enabled set — useful for sites with annoying complexity rules.
- 5
Pick count and generate
Set how many passwords to produce (up to 50), then click Generate. Each row has a strength meter and a Copy button.
Examples
16-character password, all sets, exclude ambiguous
Output
h$3Ku9-Rxq4!Wz8m (Strong / zxcvbn score 4)32-character lowercase passphrase-style
Pure lowercase but long — still extremely strong because of length.
Output
zkqmrjfdpnvxwhcybghrlspmwjnckxqv (Very strong / zxcvbn score 4)Frequently asked questions
Is `Math.random()` really not secure?+
Correct. `Math.random()` is a pseudo-random generator designed for simulations, not security. Its output is predictable to an attacker who observes a few samples. We use `crypto.getRandomValues`, which is backed by the operating system's secure random source.
What is modulo bias and why does it matter?+
If you take random bytes (0–255) and modulo by 26 to pick a letter, some letters become slightly more likely than others (because 256 isn't divisible by 26). We use rejection sampling — discard and re-roll any byte that would bias the result — to ensure perfectly uniform character distribution.
How long should my password be?+
For most accounts: 16+ characters. For sensitive ones (bank, primary email): 20+. Length matters more than character variety; a 20-character lowercase password is stronger than a 10-character mixed-case-symbols one.
What is zxcvbn scoring?+
A 0–4 strength score from Dropbox's zxcvbn library that estimates time-to-crack against modern attackers. 4 (very strong) means realistically uncrackable; 3 is strong enough for most accounts; below 3 means the password is too short or too pattern-like.
Are passwords actually never transmitted?+
Confirmed. Open DevTools and watch the Network tab while generating — there are no requests. Generation uses crypto.getRandomValues entirely in your browser.
Related tools
QR Code Generator
Create QR codes for URLs, text, Wi-Fi, and contact details. Download as PNG or SVG.
Barcode Generator
Generate barcodes in Code128, EAN-13, UPC, Code39, and ITF formats.
Invoice Generator
Build and export professional invoices as PDFs. Saved locally to your browser.
PDF Merger
Combine multiple PDF files into one. Reorder by drag and drop.
PDF Splitter
Split a PDF into separate files by page ranges, or one file per page.