Random Password Generator
Generate strong, secure random passwords with custom length and character sets.
Passwords generated using crypto.getRandomValues(), cryptographically secure. Nothing is stored on any server. All generation runs locally in your browser.
What Is the Random Password Generator?
This password generator uses crypto.getRandomValues(), the browser's cryptographically secure random number API, to generate passwords that are genuinely unpredictable. Every character is chosen uniformly from the selected charset. The entropy meter tells you how strong each password is in bits.
- ›Uses crypto.getRandomValues(), not Math.random(), for cryptographic security
- ›Guarantees at least one character from each selected character set
- ›Optional: exclude ambiguous characters (0, O, I, l, 1) to prevent confusion
- ›Generate up to 10 passwords at once for variety
- ›Entropy meter shows strength from Very Weak to Very Strong
Formula
Password Entropy
H = L × log₂(N)
H = entropy in bits · L = password length · N = charset size
Charset sizes:
- ›Uppercase A–Z: 26 characters
- ›Lowercase a–z: 26 characters
- ›Digits 0–9: 10 characters
- ›Symbols !@#$…: 26 characters
- ›All four: 88 characters → 16-char password ≈ 109 bits entropy
How to Use
- 1Drag the length slider to your desired password length (6–64 characters)
- 2Check/uncheck character sets: uppercase, lowercase, numbers, symbols
- 3Optionally check "Exclude ambiguous" to remove look-alike characters
- 4Set how many passwords to generate (1–10)
- 5Click "Generate Password", the entropy meter updates in real time
- 6Click "Copy" next to any password to copy it to your clipboard
Example Calculation
A 20-character password with all character sets:
Length: 20
Entropy: 20 × log₂(88) ≈ 131 bits
Strength: Very Strong
Example output: kR#7mPv$2Nq&Xf9Yw@L
NIST SP 800-63 guideline
NIST recommends passwords of at least 8 characters. Security professionals recommend 16+ characters for accounts protecting sensitive information. 80+ bits of entropy is generally considered sufficient for most purposes.
Understanding Random Password Generator
Entropy vs. Length Table
| Length | Lower only | Lower+Upper | L+U+Digits | All sets | Strength |
|---|---|---|---|---|---|
| 8 | 38 bits | 46 bits | 48 bits | 53 bits | Weak |
| 12 | 56 bits | 68 bits | 71 bits | 79 bits | Fair |
| 16 | 75 bits | 91 bits | 95 bits | 105 bits | Strong |
| 20 | 94 bits | 114 bits | 119 bits | 131 bits | Very Strong |
| 32 | 150 bits | 182 bits | 190 bits | 210 bits | Excellent |
Frequently Asked Questions
Is this password generator secure?
Security is guaranteed by two factors: the randomness source and the local-only generation. No passwords are ever sent to any server.
- ›Uses window.crypto.getRandomValues(), CSPRNG backed by OS entropy
- ›All generation happens in your browser, no network requests
- ›The page is served over HTTPS, protecting against network sniffing
- ›Not using Math.random(), which is pseudorandom and not suitable for security
What is password entropy?
Entropy quantifies the information content of a password. Each bit of entropy doubles the number of guesses an attacker needs.
- ›40 bits: ~1 trillion guesses, crackable in hours with modern hardware
- ›60 bits: ~1 quintillion guesses, takes years on dedicated hardware
- ›80 bits: recommended minimum for sensitive accounts
- ›100+ bits: effectively uncrackable with current technology
- ›This tool shows ~bits of entropy based on charset and length
What does "Exclude ambiguous characters" do?
Ambiguous characters are those that can be easily misread, especially in certain fonts or at small sizes. Excluding them slightly reduces entropy but greatly improves usability.
- ›Removed from uppercase: I, O
- ›Removed from lowercase: l
- ›Removed from digits: 0, 1
- ›Charset shrinks slightly (e.g. digits: 10 → 8) but readability improves
- ›Recommended if the password will be typed manually
How long should my password be?
Longer passwords are exponentially harder to crack. With today's hardware, here are rough crack times for a random password with mixed case + digits + symbols:
- ›8 characters (53 bits): potentially crackable with specialised hardware
- ›12 characters (79 bits): very strong for most purposes
- ›16 characters (105 bits): practically uncrackable
- ›20 characters (131 bits): uncrackable for any foreseeable future
- ›Use a password manager, you only need to remember one master password
Should I use all character types?
Each additional character type significantly increases the charset size and therefore the entropy per character.
- ›Lowercase only (26): 16 chars → 75 bits
- ›Lower + upper (52): 16 chars → 91 bits
- ›Lower + upper + digits (62): 16 chars → 95 bits
- ›All four (88): 16 chars → 109 bits
- ›Adding one character type is equivalent to adding ~2–4 extra characters of length
Can I use generated passwords for my accounts?
Random generated passwords are far more secure than any memorable password. The key is using a password manager to store them.
- ›Copy using the Copy button, no need to type manually
- ›Store in a password manager (Bitwarden, 1Password, etc.)
- ›Use a unique password for every account
- ›Never reuse passwords, if one account is breached, others stay safe
Why not just use Math.random()?
Math.random() is fine for games and simulations but not for security. The difference is whether the sequence can be predicted by an attacker.
- ›Math.random(): deterministic PRNG, internal state is 64 bits in V8
- ›A 64-bit state is crackable, enough output reveals all future values
- ›crypto.getRandomValues(): seeded from hardware entropy (keyboard timing, CPU noise, etc.)
- ›Cryptographic RNGs are designed to resist state recovery attacks