How to use
- Pick a length with the slider — it starts at 20 characters, a sensible default for anything important.
- Tick the character sets the target site accepts. All four stay on unless you have a reason to drop one.
- Turn on Exclude look-alikes only if someone will read or retype the password manually.
- Press Generate new password (a password also appears as soon as the page loads, and regenerates whenever you change an option).
- Copy it with the button above the output and store it in a password manager — not a text file.
How it works
Every character is drawn with crypto.getRandomValues(), the browser’s cryptographically secure random number generator, using rejection sampling so each character in the pool is exactly equally likely. That last detail matters: the naive approach of taking a random 32-bit number modulo the pool size skews the odds towards the start of the pool. The skew is small, but “small bias” is not a phrase you want anywhere near your passwords, so this tool discards and redraws instead.
The entropy figure is the arithmetic of the process, not a guess about the output. With all four sets ticked the pool holds 94 characters, so each position contributes log₂(94) ≈ 6.55 bits. A 20-character password therefore carries about 131 bits of entropy: there are 94²⁰ ≈ 2.9 × 10³⁹ equally likely possibilities. At ten billion guesses per second, an attacker working through half of them needs around 4.6 × 10²¹ years — the crack-time stat runs this exact calculation live as you move the slider.
One structural note: because one character from each ticked set is guaranteed (so the output passes “must contain a digit” rules), the true keyspace is fractionally smaller than the headline number. For any length you’d actually use, the difference is far below one bit.
Use cases & limitations
Reach for this tool when a signup form is in front of you and your password manager’s built-in generator isn’t — or when you need a shared secret that isn’t tied to any account, like a Wi-Fi password, a database credential, or a temporary access code. Since generation is instant and local, it also works offline once the page is loaded.
Two honest limitations. First, a generator cannot fix password reuse — a perfect 131-bit password pasted into five sites is still one breach away from being five breaches; check exposure with the password leak checker. Second, randomness makes passwords unmemorable by design. For the handful of secrets that must live in your head, generate a passphrase instead, and let a password manager hold the rest.
Privacy note
Generation happens entirely on your device. The page makes no network requests during generation, nothing is stored, and there is no way for us — or anyone else — to see what was produced. If you want to verify that claim rather than trust it, open your browser’s developer tools, watch the network tab, and generate away.