Are these passwords truly random?

They use crypto.getRandomValues, a cryptographically secure random number generator built into your browser, with rejection sampling to avoid bias. That is far stronger than ordinary Math.random.

Password Generator Guide: How to Make Strong Passwords

Q: Are these passwords sent anywhere?

No. Passwords are generated entirely in your browser using the Web Crypto API (crypto.getRandomValues). Nothing is transmitted, logged, or stored on a server.

Q: How long should my password be?

Use at least 16 characters for important accounts. Length matters more than complexity — a longer password has exponentially more possible combinations, which is what defeats brute-force attacks.

What this tool does

The Password Generator builds a random password from the character types you choose. It uses the Web Crypto API (crypto.getRandomValues) — a cryptographically secure random source built into your browser — so the result is genuinely unpredictable, not the weak pseudo-randomness of Math.random. Everything happens on your device; no password is ever sent over the network.

How to use it

Open the Password Generator.
Drag the Length slider — 16 or more is a good default.
Tick the character types to include: lowercase, uppercase, numbers, and symbols.
Optionally tick Exclude ambiguous characters to drop look-alikes like l, 1, O, and 0 if you'll type the password by hand.
Watch the Strength meter update, then press Copy. Regenerate makes a fresh one any time.

Reading the strength meter

The meter estimates entropy in bits — a measure of how many guesses an attacker would need on average. More length and more character types both raise it:

Weak (under 40 bits) — fine for throwaway logins, risky for anything real.
Fair (40–69 bits) — acceptable for low-value accounts.
Good (70–109 bits) — solid for most accounts.
Strong (110+ bits) — comfortably beyond brute-force reach.

What actually makes a password strong

Length beats cleverness. Each extra character multiplies the number of possibilities, so a long random password is far stronger than a short "complex" one.
Randomness matters. Names, dates, and keyboard patterns are easy to guess; a generator removes that weakness.
Never reuse passwords. One leaked site shouldn't unlock the rest. Use a unique password per account and store them in a password manager.

Your passwords stay private

The generator runs entirely in your browser. Nothing you generate is uploaded, logged, or stored — close the tab and it's gone. That's why it's safe to use for real accounts.

FAQ

Are these passwords sent anywhere?

No. They're created locally with the Web Crypto API; nothing leaves the page.

How long should my password be?

At least 16 characters for anything important — length is the biggest factor in strength.

Are they truly random?

Yes — they use crypto.getRandomValues with rejection sampling to avoid bias, which is cryptographically secure.

Ready to try it? Open the Password Generator →

Password Generator: how to use it (and what makes a password strong)