Password Generator

How it works

Strong passwords matter because most account compromises start with credential stuffing — attackers trying leaked password lists against random sites in the hope you reused the password. The defenses are length, randomness, and uniqueness across sites; this generator handles the first two, and a password manager handles the third.

Password strength is measured in bits of entropy. A truly random password drawn from a pool of P characters with length N has log₂(P^N) = N × log₂(P) bits of entropy. With all four character classes (lowercase, uppercase, digits, symbols), the pool is around 90 characters, so each character contributes about 6.5 bits. A 16-character random password has about 104 bits of entropy — far beyond what current attackers can crack.

Modern guidelines (NIST SP 800-63B) recommend a minimum of 12 characters for human-chosen passwords and longer for random ones. We default to 20 characters here, which gives ~130 bits of entropy with all classes enabled — practically uncrackable for the foreseeable future.

The "exclude ambiguous characters" option removes O/0/o/l/I/1/| from the pool. Useful when you might need to read the password aloud or type it from a printed copy without a font that distinguishes those glyphs. Loses ~6 characters from the pool, costing about 1 bit per character.

The randomness here uses the browser's crypto.getRandomValues — the same cryptographically secure RNG used for TLS and other security-critical operations. It's not predictable from any input you've made or any other state available to the page.

Best practice: use a password manager (1Password, Bitwarden, KeePass) and let it generate and store unique passwords for every site. You only need to remember one strong master password. For accounts that don't support a password manager (recovery codes, encrypted disks), generate a strong password here and write it down securely offline.