keptlocal
Files never leave your browser

Password Generator

Generate secure random passwords free in your browser — no signup, no account, nothing stored. Choose length and character sets, copy instantly. All randomness uses your browser's cryptographic API.

Click Generate to create a password
16
864
Configure options and click Generate.

How to generate a strong password

  1. The tool generates a password automatically when the page loads — you can use it immediately or adjust the options first.
  2. Set the length using the slider. 16 characters is the recommended minimum for accounts that matter. For high-value accounts (banking, email, password manager master password), use 24 characters or more.
  3. Select your character sets. All four — uppercase, lowercase, numbers, and symbols — are checked by default. More character types mean more possible combinations per character, raising the entropy.
  4. Enable "Exclude ambiguous characters" if the password needs to be typed by hand. This removes characters that look alike in common fonts: 0 and O, l and 1 and I.
  5. Click Generate password to produce a new one. Click as many times as you like — each generation is independent.
  6. Click Copy to copy the password to your clipboard, then paste it directly into your password manager or signup form.

All randomness comes from window.crypto.getRandomValues — the browser's cryptographic random number generator. Nothing is sent to a server. Open DevTools → Network while generating to confirm zero outbound requests.

What makes a password strong

Password strength is primarily a function of entropy — the number of possible combinations an attacker would have to try to guess it by brute force. Entropy is measured in bits. Each additional bit doubles the number of possible passwords.

Two factors drive entropy: length and character set size. A 16-character password using all four character types (uppercase, lowercase, numbers, symbols — roughly 94 printable ASCII characters) has about 105 bits of entropy. A modern GPU cluster can check billions of password candidates per second. At that rate, 105 bits of entropy would take longer than the age of the universe to crack by brute force — which is why length matters far more than clever substitutions.

Common "clever" patterns — replacing letters with numbers (p@ssw0rd), using a pet's name with a number appended, or reversing a word — are not clever to an attacker. Password cracking tools include massive dictionaries of these patterns. A randomly generated 16-character password has no pattern to exploit, which is why randomly generated passwords beat memorable ones at every length.

  • 8 characters: Minimum for low-stakes sites. Brute-forceable with specialized hardware given time — avoid for anything sensitive.
  • 12–16 characters: Good for most accounts. 12 random characters from a full charset is computationally infeasible to crack today.
  • 20+ characters: Recommended for email accounts, password managers, banking, and anything where a breach would have major consequences.
  • Never reuse passwords. If one service is breached and hashes are cracked, every account using the same password is compromised. One password per site, always.

How the randomness works

This tool uses window.crypto.getRandomValues, which is specified in the Web Cryptography API and implemented in every modern browser. It fills a typed array with cryptographically secure random bytes drawn from the operating system's entropy source — the same source used by banking software, VPNs, and encryption tools.

It is fundamentally different from Math.random(), which is a pseudorandom number generator (PRNG) — a deterministic algorithm that produces a sequence of numbers that looks random but is predictable if you know the seed or algorithm state. Math.random() must never be used for security-sensitive operations. crypto.getRandomValues is the correct choice.

The character selection works like this: for a password of length n, the tool generates n unsigned 32-bit integers using crypto.getRandomValues, then maps each integer to a character in the charset using modulo. The modulo introduces a small bias when the charset size does not evenly divide 2³², but for charset sizes up to a few hundred characters, the bias is negligible for practical password security.

What to do with the password after generating it

A strong password does no good if it is stored insecurely. Write it on a sticky note and the physical security of your desk becomes the security of your account. Store it in a plain text file on your desktop and every piece of malware that reads that directory has it.

The correct storage method is a password manager. A password manager encrypts your passwords with a master password that only you know, so even if the password manager's servers are breached, the stored passwords are useless without your master password.

  • Bitwarden: Open source, free tier, browser extensions for all major browsers, mobile apps for iOS and Android. Self-hosting option available. Recommended for most users.
  • 1Password: Polished apps, good family and team sharing features. Paid subscription.
  • KeePassXC: Local-only (no cloud sync). Good for users who want zero cloud exposure and are comfortable managing their own backup.
  • Browser built-ins: Chrome, Firefox, Edge, and Safari all include password managers. They work well for most users who don't need cross-browser or cross-device features outside the browser's ecosystem.

Privacy: what happens to your passwords

The passwords generated by this tool exist only in your browser's memory. They are displayed on screen, copied to your clipboard on request, and nothing else. There is no server, no log file, no analytics event that captures password values.

The clipboard is outside the tool's control once you click Copy — the contents persist until you overwrite them. If you are on a shared device, paste the password into the password manager immediately and then copy something innocuous to clear the clipboard.

Frequently asked questions

Are my passwords stored or sent anywhere?
No. Passwords are generated locally using the browser's Web Crypto API (window.crypto.getRandomValues). Nothing is sent to a server, logged, or stored.
What makes a password strong?
Length is the biggest factor — a 16-character random password has more entropy than a shorter one regardless of complexity. Using all four character types (upper, lower, numbers, symbols) at 16+ characters produces passwords that are computationally infeasible to crack.
How is randomness generated?
The tool uses window.crypto.getRandomValues — the browser's cryptographically secure random number generator, the same source used by banking and security software. It is not predictable like Math.random().
Can I generate multiple passwords at once?
Yes — click Generate multiple times or use the Bulk generate option to produce several options you can choose from.
Should I use a password manager?
Yes. Generating a strong password is only the first step — storing it safely requires a password manager. Most modern browsers include one; dedicated options include Bitwarden (open source, free) and 1Password.