WebToolsPlanet
generator Tools

Password Generator

Generate cryptographically secure random passwords using crypto.getRandomValues() — customizable length, character sets, and entropy calculation.

Last updated: March 25, 2026

Used 43K+ times
Client-Side Processing
Input Data Stays on Device
Instant Local Execution

What users say

I generate service account passwords here weekly. The entropy indicator and no-server-send policy make this the only online generator I trust for work use.
Raj D.IT Administrator

Find this tool useful? Support the project to keep it free!

Buy me a coffee

What is Password Generator?

A strong password is your first-line defense against unauthorized account access — but human-chosen passwords are predictably weak. Studies by security researchers consistently find that users choose passwords from a small vocabulary of dictionary words, names, and common patterns, making them vulnerable to dictionary attacks and credential stuffing. Random password generators solve this by creating passwords with maximum entropy relative to their length.

This generator uses `crypto.getRandomValues()` — the Web Cryptography API's cryptographically secure pseudorandom number generator (CSPRNG) — to select characters. Unlike Math.random() (which uses a predictable mathematical algorithm), crypto.getRandomValues() draws from the operating system's entropy pool (hardware interrupts, thermal noise, disk timing) and is approved for cryptographic use by NIST. Generated passwords are never transmitted to any server — the entire process runs in your browser's JavaScript memory.

How to Use Password Generator

1

Set the password length using the slider (16+ characters recommended for most accounts, 20+ for high-security)

2

Toggle the character sets you want to include: Uppercase (A-Z), Lowercase (a-z), Numbers (0-9), Symbols (!@#$%^&*)

3

Click "Generate Password" to create a new random password — the entropy meter shows how strong it is in bits

4

Click "Copy" to copy the password to your clipboard (avoid typing it manually to prevent keyboard logging)

5

Click "Generate" again for a different password — each generation is independent and equally random

Common Use Cases

  • Creating a unique, strong password for a new account — never reuse passwords across services
  • Generating a temporary password for a team member account that they will reset after first login
  • Creating database credentials: randomly generated POSTGRES_PASSWORD for Docker Compose files
  • Generating API keys and secret values for .env files when a service doesn't generate them automatically
  • Creating a strong master password for a password manager (KeePass, Bitwarden local vault)
  • Generating encryption passphrase for a GPG key or VeraCrypt volume
  • Creating a Wi-Fi passphrase for a router — long and random prevents neighbor brute force
  • Generating a one-time password (OTP) for a paper-based emergency access code

Example Input and Output

Generating passwords for different security requirements:

Configuration
Config 1: Length=16, Uppercase+Lowercase+Numbers
Config 2: Length=20, All character types (+ Symbols)
Config 3: Length=32, All character types (high security)
Generated passwords with entropy
Config 1 (length 16, 62-char alphabet):
→ "Kp7MtXq2RnLb9YwZ"
→ Entropy: ~95 bits (very strong)
→ Crack time at 1B guesses/sec: years

Config 2 (length 20, 94-char alphabet):
→ "f#3Kx!mQ0Ln$P7vR@9Wz"
→ Entropy: ~130 bits (excellent)
→ Crack time: effectively uncrackable

Config 3 (length 32, all chars):
→ "v8!qX@2mK#Tp$9Ln^0Rj%5Ws&7Yb*4Fd"
→ Entropy: ~210 bits (cryptographic grade)

Complete Privacy

Passwords are generated using crypto.getRandomValues() purely in your browser. No generated password is transmitted to our servers at any point. You can disable your internet connection after loading this page and the generator will continue to work identically.

Use a Password Manager

Generated passwords are only valuable if you can remember or retrieve them. Store every generated password in a password manager: Bitwarden (free, open-source), 1Password, Dashlane, or KeePass (local). A password manager allows unique 20+ character random passwords on every site without memorization — this is the single most effective password security improvement for most people.

Browser Clipboard Security

The browser clipboard is accessible to any JavaScript running on other tabs in some browser configurations. After copying a password, paste it into your password manager immediately, then clear the clipboard with a benign copy (copy any other text). On macOS: clipboard managers like Raycast automatically hide password-like strings. On Windows: Windows Clipboard History (Win+V) may log copied passwords — disable "Clipboard History" in Settings → System → Clipboard for security-sensitive workflows.

Frequently Asked Questions

What is password entropy and why does it matter?
Entropy (measured in bits) quantifies how unpredictable a password is. It is calculated as: entropy = log2(alphabetSize^length) = length × log2(alphabetSize). A 16-character password from a 62-character set (uppercase + lowercase + digits) has 16 × log2(62) ≈ 95 bits of entropy. Each additional bit of entropy doubles the number of guesses required to crack it. NIST SP 800-63B recommends a minimum of 112 bits of entropy for federal systems; 128+ bits provides security beyond current computing capabilities.
Why is crypto.getRandomValues() more secure than Math.random()?
Math.random() uses a Mersenne Twister or similar deterministic PRNG seeded with a simple value (often the system clock). If an attacker can observe some Math.random() outputs, they can predict future outputs and reconstruct all past values — this is called a linear feedback shift register attack. crypto.getRandomValues() collects entropy from hardware sources (CPU thermal variance, disk seek timing, interrupt timing) through the OS kernel's entropy pool (/dev/urandom on Linux), making prediction computationally infeasible.
How long should a password be?
NIST SP 800-63B guidance (2024): minimum 8 characters for user-chosen, no maximum length enforced. Security recommendations: 12 characters minimum for most accounts, 16+ for sensitive accounts (email, banking), 20+ for password manager master passwords, 32+ for encryption keys and system credentials. Password length matters more than complexity (a 20-char lowercase password beats a 10-char mixed password). The key insight: time-to-crack grows exponentially with length but only linearly with alphabet size.
Should I use a passphrase instead of a random password?
Passphrases (4-5 random words: "correct horse battery staple") are easier to remember and still very strong: 4 words from a 7,776-word wordlist (Diceware) gives log2(7776^4) ≈ 51 bits — adequate for most uses. Random passwords achieve higher entropy per character (6 bits/char for base94 vs ~12.9 bits/word × fewer words). For accounts where you must type the password without a manager, passphrases are more practical. For auto-filled credentials, random passwords are more space-efficient and equally secure.
Should I include symbols? Some sites block them.
Symbols expand the alphabet from 62 to 94 characters — a modest entropy improvement (log2(94) = 6.56 bits/char vs log2(62) = 5.95 bits/char for alphanumeric). If a site rejects symbols, an alphanumeric password a few characters longer provides equivalent security. Some sites restrict to a specific subset of symbols — if your generated password is rejected, regenerate without symbols and compensate with 2–4 extra characters in length. Never repeat a rejected password across other sites.
Is the generated password visible to this website?
No. The password is generated and lives entirely in your browser's JavaScript memory — it is rendered to the DOM (the password field on this page) and copied to your clipboard locally. No network request is made. You can verify this by opening the browser Network tab before generating a password and confirming zero outbound requests occur. The generation code uses window.crypto.getRandomValues(), a browser-native API that runs with no external dependencies.

How This Tool Works

A character pool string is assembled from the selected character sets (uppercase A-Z + lowercase a-z + digits 0-9 + symbols). A Uint32Array of the requested password length is filled by crypto.getRandomValues(). Each random value is mapped to a character index using the modulo operation: chars[randomValue % chars.length]. This uniform sampling approach with crypto.getRandomValues() produces a statistically uniform distribution across the character pool with cryptographic security guarantees.

Technical Stack

crypto.getRandomValues() CSPRNGUint32Array entropy bufferShannon entropy calculatorClient-side only

Security and Auth Workflow

Generate safer credentials, inspect tokens, verify signatures, and compare hash outputs from the same family.

Hash Generator
Generate MD5, SHA-1, SHA-256, and SHA-512 hashes from text.
JWT Decoder
Decode and inspect JSON Web Tokens (JWT) without validation.
MD5 Generator
Instantly generate MD5 hashes from any text for checksums and data verification.
SHA Hash Generator
Generate SHA-1, SHA-256, SHA-384, and SHA-512 hashes from text instantly in your browser.
Password Strength Checker
Test how secure your password is — get an entropy score, estimated crack time, and actionable tips.
JWT Debugger
Decode, inspect, and verify JSON Web Tokens (JWT) locally.

Related Tools

Password Strength Checker
Test how secure your password is — get an entropy score, estimated crack time, and actionable tips.
JWT Decoder
Decode and inspect JSON Web Tokens (JWT) without validation.
JWT Debugger
Decode, inspect, and verify JSON Web Tokens (JWT) locally.
Hash Generator
Generate MD5, SHA-1, SHA-256, and SHA-512 hashes from text.
MD5 Generator
Instantly generate MD5 hashes from any text for checksums and data verification.
SHA Hash Generator
Generate SHA-1, SHA-256, SHA-384, and SHA-512 hashes from text instantly in your browser.