Password Generator

Generate strong random passwords with customizable length and character sets

Length20

Count5

Uppercase (A–Z)Lowercase (a–z)Numbers (0–9)Symbols (!@#…)

Also try:Word Counter Case Converter Lorem Ipsum Generator Line Sorter Duplicate Line Remover Text Diff Regex Tester Markdown Preview Slug Generator

What is a Password Generator?

A password generator creates random strings of characters used as passwords for user accounts, API keys, database credentials, and encryption secrets. Unlike human-chosen passwords, generated passwords draw from the full space of possible character combinations, making them resistant to dictionary attacks and pattern-based guessing. This tool generates strong random passwords online using your browser's built-in cryptographic random number generator.

Password strength depends on two factors: length and character diversity. A 20-character password using uppercase, lowercase, digits, and symbols has roughly 131 bits of entropy. At that level, a brute-force attack testing one trillion guesses per second would need longer than the age of the universe to try every combination. The math is straightforward: entropy = length x log2(charset size).

Standards like NIST SP 800-63B recommend passwords of at least 8 characters with no upper limit enforced by the verifier, and discourage forced composition rules such as requiring exactly one symbol, favoring longer passphrases instead. For machine-to-machine credentials and service accounts, 20 or more random characters drawn from a full character set is the accepted baseline in most security frameworks and compliance regimes.

Why Use a Password Generator?

Humans are poor random number generators. We reuse passwords, pick dictionary words, substitute letters with predictable patterns (@ for a, 3 for e), and default to short strings. A password generator removes human bias from the process.

🔐

Privacy-first generation

Passwords are generated entirely in your browser using the Web Crypto API. No characters leave your device, nothing is logged, and no network requests are made during generation.

⚡

Instant batch output

Generate up to 20 passwords at once with a single click. Copy individual passwords or all of them at once for provisioning scripts or credential vaults.

🛡️

No account required

No sign-up, no email, no cookies tracking your generated passwords. Open the page, configure your options, and generate.

🎛️

Full character set control

Toggle uppercase, lowercase, digits, and symbols independently. Set length from 4 to 128 characters to match the requirements of any system or policy.

Password Generator Use Cases

Frontend Development

Generate test passwords for form validation, input length testing, and authentication flow development. Verify that your login forms handle 128-character passwords and special characters correctly.

Backend & DevOps

Create database credentials, API tokens, and service account passwords during infrastructure setup. Use batch generation to provision multiple services in a single session.

Security Engineering

Generate high-entropy secrets for encryption keys, HMAC signing, and JWT secret rotation. Set length to 64+ characters for secrets that need to exceed 256 bits of entropy.

QA & Penetration Testing

Test password policy enforcement by generating strings that include or exclude specific character sets. Verify that systems correctly reject passwords below minimum length or complexity.

Data Engineering

Generate random credentials for test environments, staging databases, and CI/CD pipeline secrets. Avoid reusing production passwords in test data by generating fresh ones per environment.

Personal Account Security

Create unique passwords for each online account. Pair this generator with a password manager to store credentials you do not need to memorize.

Password Entropy Reference

Entropy measures how unpredictable a password is. It is calculated as log2(charset_size ^ length). Higher entropy means more possible combinations for an attacker to search through. NIST and OWASP recommend at least 80 bits of entropy for high-security applications.

Length	Character Set	Entropy	Brute-Force Time
8	lower + digits	~41 bits	Minutes to hours
12	lower + upper + digits	~71 bits	Centuries (offline)
16	all character sets	~105 bits	Beyond brute-force
20	all character sets	~131 bits	Beyond brute-force
32	all character sets	~210 bits	Beyond brute-force
64	all character sets	~419 bits	Beyond brute-force

Crack times assume 1 trillion guesses per second (offline attack with modern GPUs). Online attacks with rate limiting are orders of magnitude slower.

CSPRNG vs Math.random() for Password Generation

The source of randomness matters as much as password length. A password generated with a predictable random number generator can be reconstructed by an attacker who knows the algorithm and seed state. This tool uses crypto.getRandomValues(), which is a cryptographically secure pseudorandom number generator (CSPRNG) built into every modern browser.

crypto.getRandomValues()

Uses operating system entropy sources (hardware RNG, interrupt timing, etc.). Output is unpredictable even if an attacker knows all previous outputs. Required by the W3C Web Crypto specification for security-sensitive operations.

Math.random()

Uses a deterministic algorithm seeded from a limited entropy pool. Output can be predicted if the seed state is known. The ECMAScript specification explicitly states that Math.random() does not provide cryptographically secure random numbers. Never use it for password generation.

Code Examples

Generate passwords programmatically in different languages. Every example below uses a cryptographically secure random source, not Math.random() or equivalent weak PRNGs.

JavaScript (Web Crypto API)

// Generate a random password in the browser or Node.js 19+
function generatePassword(length = 20) {
  const charset = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*'
  const values = new Uint32Array(length)
  crypto.getRandomValues(values)
  return Array.from(values, v => charset[v % charset.length]).join('')
}

console.log(generatePassword())    // → "kR7!mZp$Xw2&nLq9@Yf3"
console.log(generatePassword(32))  // → "Hd4%tNx!Qw8#mKp2Rv6&Zj0*Ls3Yb7@"

Python

import secrets
import string

def generate_password(length: int = 20) -> str:
    """Generate a cryptographically secure random password."""
    alphabet = string.ascii_letters + string.digits + string.punctuation
    return ''.join(secrets.choice(alphabet) for _ in range(length))

# Single password
print(generate_password())      # → "kR7!mZp$Xw2&nLq9@Yf3"

# Batch of 5 passwords
for _ in range(5):
    print(generate_password(24))

# Ensure at least one char from each category
def generate_strong(length: int = 20) -> str:
    required = [
        secrets.choice(string.ascii_uppercase),
        secrets.choice(string.ascii_lowercase),
        secrets.choice(string.digits),
        secrets.choice(string.punctuation),
    ]
    remaining = length - len(required)
    alphabet = string.ascii_letters + string.digits + string.punctuation
    all_chars = required + [secrets.choice(alphabet) for _ in range(remaining)]
    secrets.SystemRandom().shuffle(all_chars)
    return ''.join(all_chars)

CLI (OpenSSL / /dev/urandom)

# OpenSSL — generate 32 random bytes, base64-encode
openssl rand -base64 32
# → "x7Kp2mNqR4wZ8vLs1Yb0Hd6tFj3Xc9Ga5eUi+Wo="

# /dev/urandom with tr — alphanumeric + symbols, 20 chars
tr -dc 'A-Za-z0-9!@#$%^&*' < /dev/urandom | head -c 20; echo
# → "kR7!mZp$Xw2&nLq9@Yf3"

# pwgen (install: apt install pwgen / brew install pwgen)
pwgen -sy 20 5
# Generates 5 passwords, 20 chars each, with symbols

package main

import (
    "crypto/rand"
    "fmt"
    "math/big"
)

func generatePassword(length int) (string, error) {
    charset := "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()"
    result := make([]byte, length)
    for i := range result {
        idx, err := rand.Int(rand.Reader, big.NewInt(int64(len(charset))))
        if err != nil {
            return "", err
        }
        result[i] = charset[idx.Int64()]
    }
    return string(result), nil
}

func main() {
    pwd, _ := generatePassword(20)
    fmt.Println(pwd) // → "kR7!mZp$Xw2&nLq9@Yf3"
}

Frequently Asked Questions

How long should a password be?

For user accounts, 16 characters from a mixed character set provides over 100 bits of entropy, which is sufficient for all current threat models. For machine secrets (API keys, encryption keys), use 32 characters or more. NIST SP 800-63B sets a minimum of 8 characters but recommends that systems allow much longer passwords without truncation.

Is this password generator safe to use?

Yes. Passwords are generated in your browser using the Web Crypto API (crypto.getRandomValues). No data is sent to any server. You can verify this by opening your browser's network tab and observing that no requests are made when you click Generate. The source code is client-side JavaScript, visible in your browser's developer tools.

What is password entropy?

Entropy is a measure of randomness expressed in bits. A password with N bits of entropy has 2^N possible values. For example, a 20-character password drawn from 95 printable ASCII characters has log2(95^20) = 131.1 bits of entropy. Each additional bit doubles the number of guesses an attacker needs.

Should I include symbols in my passwords?

Including symbols increases the character set from 62 (letters + digits) to 95 (printable ASCII), which adds about 6.1 bits of entropy per character. Some systems restrict which symbols are allowed. If a system rejects certain symbols, disable the symbols option and compensate with a longer password. A 24-character alphanumeric password has more entropy than a 16-character password with symbols.

Why not use Math.random() to generate passwords?

Math.random() is not cryptographically secure. Most JavaScript engines implement it with xorshift128+ or a similar fast PRNG that is designed for simulation and games, not security. An attacker who observes a few outputs can recover the internal state and predict all future outputs. The Web Crypto API uses operating system entropy sources that are not predictable.

Can I use generated passwords for API keys and tokens?

Yes, but consider the format requirements of your target system. Some APIs expect base64-encoded keys or hex strings rather than arbitrary characters. For raw secret generation, use the full character set at 32+ characters. For base64 keys, generate random bytes and encode them separately rather than treating base64 as a password character set.

How often should I rotate passwords?

NIST SP 800-63B (2017, updated 2024) recommends against forced periodic rotation for user passwords because it leads to weaker password choices. Rotate only when there is evidence of compromise. For machine secrets and service accounts, rotate based on your organization's risk model, typically every 90 days for high-privilege credentials.