Password Generator
Strong random passwords and passphrases, generated locally.
This password generator builds strong random passwords and memorable passphrases entirely in your browser, with nothing ever sent to a server. It runs on crypto.getRandomValues, the same cryptographically secure source your operating system uses for SSH and TLS keys, and adds rejection sampling so no character is favored by modulo bias. Pick a length from 8 to 128, toggle uppercase, lowercase, digits and symbols, or exclude lookalike characters like 0, O, 1, l and I. Switch to passphrase mode for 4 to 8 words a human can actually type. Every result shows its real entropy in bits, computed from the pool you selected, plus one-click copy and batches of five.
100% in your browser. Nothing you type ever leaves this page.
Local password generator with real entropy, passphrase mode and zero network calls
Click the button, get a password. That's it. Everything runs in your browser with the cryptographic random number generator your browser already ships (crypto.getRandomValues, the same source your bank's frontend uses), so nothing you generate ever touches a server. Not mine, not anyone's. You can check the network tab if you don't believe me. I would.
Pick a length, toggle the character sets, or flip over to passphrase mode if you want something a human can actually type. Each result shows its real entropy in bits, computed from the actual pool you selected, not some feel-good meter.
100% client-side. No password is ever sent, stored or logged anywhere. The randomness comes from your own browser's CSPRNG and the results live only on this page until you leave it.
How this password generator makes randomness
This password generator only ever calls crypto.getRandomValues, the Web Crypto cryptographically secure random source, never Math.random. Math.random is a pseudorandom generator built for animations and dice games. It was never designed to resist an attacker, its internal state can be reconstructed from a handful of outputs, and a password tool built on it is a toy. The secure source here is fed from your operating system entropy pool, the same place SSH keys and TLS session keys come from. There is one more trap. Mapping a raw 32-bit number onto an 88-character pool with a naive modulo skews the distribution, an effect called modulo bias. So this generator uses rejection sampling: any value that would land in the biased zone gets thrown away and redrawn, and every character in the pool has exactly the same probability of being picked.
What makes a password strong in 2026
Length, honestly mostly length. A modern cracking rig grinds through billions of guesses per second against a fast hash, and every character you add multiplies the search space by the size of your pool. A 20-character random password from the full pool here lands around 128 bits of entropy, beyond anything brute force will touch in your lifetime. The second half of strong is unique: the most common way accounts fall is credential stuffing, where a site that leaked your password in 2017 gets replayed against every major service.
- 16 characters minimum for anything you care about. 20+ for admin accounts, email and money.
- One password per site. Reuse is how breaches spread. There is no clever exception.
- Entropy over rules. A forced symbol at the end of a word fools no one. Random beats clever every single time.
- 2FA on top. Even a perfect password can be phished on a bad Tuesday.
Passphrases versus passwords
A random 20-character password from this tool carries roughly 128 bits of entropy. A 6-word passphrase from the embedded 300-word list carries about 49 bits, and 8 words gets you to 66. The character soup wins on raw numbers, no contest. And yet I would still hand most people the passphrase, because the failure mode that actually happens is not someone brute-forcing 66 bits, it is a person who cannot type their WiFi password to a guest and downgrades to their cat's name. A phrase like maple-cobalt-river-lantern-wheat is something you can say out loud, type on a phone keyboard, even remember after a few uses. Use random characters for anything a password manager fills automatically, and passphrases for the handful of secrets a human has to handle.
Just use a password manager
A generator is a band-aid if you are still memorizing passwords. The actual fix is a manager that generates, stores and fills a different random password for every account, so the only secret in your head is one strong master passphrase made of words. Bitwarden is free and open source, KeePassXC if you want the database file under your own control, and the built-in managers in browsers have gotten genuinely decent. Any of them beats human memory. Generate your master passphrase here, 6 or 7 words, write it on paper for the first week, then let the manager do everything else forever.
Frequently asked questions
Is anything I generate sent to a server?
No. The whole tool is a small script running in your page. There are no network calls, no analytics hooks on the passwords, no storage. Close the tab and the passwords are gone. If you are the verifying type, open your browser dev tools on the network tab and generate away: nothing fires.
Why crypto.getRandomValues instead of Math.random?
Math.random is predictable by design. Its output can be reverse-engineered from a few samples, which is fatal for a password. crypto.getRandomValues pulls from your operating system cryptographic entropy pool, the same source used for encryption keys. This tool also applies rejection sampling on top, so no character in the pool is ever favored by modulo bias.
How long should a password be in 2026?
16 characters is my floor for anything that matters, and 20 or more for email, admin panels and money. Length is the cheapest strength you can buy: each extra random character multiplies an attacker work by the pool size. Past 20 random characters you are comfortably beyond brute force for decades.
Are passphrases as strong as random passwords?
Bit for bit, no. A 5-word phrase from a 300-word list is about 41 bits, while 20 random characters is around 128. But a passphrase you can actually remember and type beats a perfect password you write on a sticky note. Use 6 to 8 words for anything important, and save random characters for what a manager autofills.
What does the entropy number mean?
It counts unpredictability in bits, and every added bit doubles the guesses an attacker needs on average. The tool computes it honestly: pool size to the power of length, expressed as length times log2 of the pool. So 20 characters from an 88-character pool is 20 times 6.46, about 129 bits. Anything above 80 bits is out of reach for offline cracking today.