Skip to content

Generate a Strong Random Password

A good password is random, long, and used exactly once — three things human brains are bad at producing. This generator uses your browser's cryptographically secure random number generator with unbiased sampling, entirely on your device. Nothing is transmitted, logged, or stored: the password exists only on your screen until you copy it somewhere safe.

The actual tool runs in our ad-free secure workspace — nothing on this page processes your file.

Open Password Generator

What this tool does

  • Generates passwords using the browser's cryptographically secure RNG (crypto.getRandomValues), not a predictable pseudo-random shortcut.
  • Samples characters without modulo bias, so every character position is uniformly random across your chosen set.
  • Lets you configure length and character classes — lowercase, uppercase, digits, symbols — including excluding look-alike characters.
  • Shows an honest entropy estimate in bits, so 'how strong is this?' has a number instead of a color bar.
  • Regenerates instantly and never keeps history — each password vanishes when you leave.

Your privacy on this tool

Stays on your device

  • Randomness comes from your own device's CSPRNG; generation happens entirely in the page.
  • No generated password is ever transmitted, logged, cached, or stored — by design there is nothing to breach.
  • The tool makes no network requests during generation, which you can verify in your browser's developer tools.

Reaches our server: nothing

This tool makes no upload. Your content is processed entirely in your browser.

How to use it

  1. Open the generator at /app/password-generator.
  2. Set the length — 16 characters or more is a sensible default for accounts; go longer for anything critical.
  3. Pick character classes; keep symbols on unless a site refuses them.
  4. Generate, and copy the result directly into your password manager.
  5. If you need to send it to someone, use a secure secret link — not chat or email.
Open Password Generator

Common uses

  • Creating a unique password for every new account, stored in a password manager rather than memory.
  • Rotating a password after a breach notification from a service you use.
  • Generating strong one-off passwords for encrypted files and vaults.
  • Producing device or router admin passwords that will live in a manager, not on a sticky note.
  • Creating temporary passwords for accounts you provision for others, delivered via one-time secret link.

Supported formats

  • Configurable character sets: lowercase, uppercase, digits, symbols; adjustable length

Works in every modern browser on any device — the Web Crypto API it relies on is universally supported.

Limitations & security notes

Limitations

  • A generated password only helps if it is stored safely — without a password manager, long random strings end up reused or written down, defeating the point.
  • Some sites cap length or reject symbols; the options exist to work around bad password policies, not because shorter is fine.
  • The generator cannot fix the ecosystem: if a site stores passwords badly, your excellent password is still exposed in their breach — uniqueness per site is what contains that damage.
  • SecretPNG is in beta and has not been independently audited.

Security notes

  • Cryptographic randomness matters: passwords derived from time, Math.random(), or human keyboard-mashing have structure attackers exploit. CSPRNG output does not.
  • Unbiased sampling is a subtle but real requirement — naive modulo mapping makes some characters more likely than others, quietly shaving off entropy.
  • Length beats complexity: a 20-character lowercase-only password is stronger than an 8-character everything-allowed one.
  • Never reuse even a strong password; uniqueness is what turns 'their breach' into 'not your problem'.
  • For passwords you must remember and type, a passphrase is usually the better tool — see the passphrase generator.

Frequently asked questions

How is this different from mashing keys or making something up?
Human-invented passwords cluster hard: names, dates, keyboard walks, and predictable substitutions like '@' for 'a'. Cracking tools are built around exactly those habits. A CSPRNG has no habits — every output is uniformly random over the character space, which forces attackers into raw brute force at full cost.
Can you or anyone else see the passwords I generate?
No. Generation is a purely local computation — the page makes no network request when you click generate, keeps no history, and stores nothing. Open your browser's network inspector and watch: nothing leaves. When you close the tab, the password exists only where you pasted it.
How long should my password actually be?
For accounts stored in a password manager, 16–20 characters with mixed classes is comfortably beyond practical attack. For high-value targets — email, banking, your password manager itself — go to 24 or more, or use a six-word passphrase. Length is the cheapest security you can buy; you paste it either way.
Should I use a password or a passphrase?
Random character passwords are ideal when a manager types them for you. Passphrases — several random words — win when a human must remember or type the secret: your master password, disk encryption, or a Wi-Fi key you read out to guests. Our passphrase generator draws from the EFF wordlist for exactly those cases.
Is the entropy number it shows meaningful?
Yes — it is log2(character-set size) multiplied by length, the standard measure of guessing difficulty for uniformly random strings. Around 77 bits or more is a solid target; each additional bit doubles the attacker's work. The number is honest math, not a marketing meter.

Related tools

Was this tool helpful?

Last reviewed: 2026-07-14Open Password Generator

SecretPNG is in beta and has not been independently audited. Security status.