PASSWORD GENERATOR

Strong, random, in your browser

Generated client-side using crypto.getRandomValues — the same cryptographically-secure source your browser uses for TLS. Nothing is sent to our servers. Adjust length, mix character classes, copy with one click.

20
Entropy: — bits · — strength
All randomness happens in your browser.

About strong passwords

Password strength is determined by length first and randomness second. A truly random 16-character password mixing letters, digits, and symbols has roughly 95 bits of entropy — uncrackable by any current computing technology. Any password under 12 characters is at risk of brute-force.

Why this generator is safe

Every password is generated entirely in your browser using window.crypto.getRandomValues(), the WebCrypto API cryptographically secure random number generator. No password is ever transmitted to our server, logged, cached, or transmitted anywhere. View source if you want to verify.

Length beats complexity

A 20-character password using only lowercase letters (~94 bits) is stronger than a 10-character password with letters, digits, and symbols (~66 bits). Length is the single most important variable. Use a password manager that lets you generate and store 20+ character passwords automatically for everything except your master password.

Passphrases vs. random passwords

A 6-word passphrase from a 7,776-word list gives ~77 bits of entropy and is easier to remember. Random passwords are stronger per-character but unmemorable. For your master password, password-manager unlock, or disk encryption, use a passphrase. For everything else, let the manager generate truly random.

When to rotate

NIST current SP 800-63B guidance (revised 2024) explicitly recommends against forced periodic rotation. Rotate when you have a reason: breach notification, shared device exposure, suspicious account activity. Forced 90-day rotation policies lead to weaker, more predictable passwords ("Spring2026!" then "Summer2026!").