Generate cryptographically secure passwords. All generation happens in your browser — nothing is sent to any server.
This generator uses the browser's crypto.getRandomValues() API — a cryptographically secure pseudorandom number generator (CSPRNG) backed by the operating system's entropy source. This is the same randomness source used by cryptographic libraries, making generated passwords resistant to prediction.
The character pool is assembled from your selected options: uppercase letters (26), lowercase letters (26), digits (10), and symbols (~32 printable ASCII symbols). A random index is drawn from the full pool for each character position. Password strength grows exponentially with length: an 8-character password using all character types has 948 ≈ 6 × 1015 combinations; a 16-character password has 9416 ≈ 3.7 × 1031. At 1 trillion guesses per second, cracking a 16-character random password would take over a trillion years. The generated password is never sent anywhere — all generation is local. Use a password manager to store and autofill generated passwords.
Yes. This generator uses window.crypto.getRandomValues() — the browser's cryptographically secure random number generator, backed by the OS entropy pool. It is the same source used for cryptographic operations and is not predictable.
No. Password generation runs entirely in your browser with JavaScript. No network request is made, and the password is never transmitted or logged anywhere. Close the tab and the password is gone — which is why you should copy it immediately into a password manager.
A minimum of 16 characters is recommended for important accounts (email, banking, work). 12 characters is acceptable for lower-risk accounts. Length matters more than complexity — a 20-character random lowercase-only password is stronger than an 8-character mixed-character password.
Strong passwords are: long (16+ characters), random (not based on dictionary words or patterns), unique (used for only one account), and stored securely in a password manager rather than memorised or written down. Avoid substitutions like @ for a or 3 for e — these are well-known to attackers.