Secure Password Generator
Generate strong random passwords, memorable passphrases, and PINs. Powered by your browser’s cryptographic RNG — every password is created locally and never leaves this page.
What makes a password secure?
A password’s real strength is its entropy — the number of bits of randomness it carries. The more unpredictable a password is, the more guesses an attacker needs. Entropy depends on two things: how large the pool of possible characters (or words) is, and how many of them you string together. A short password drawn from a tiny alphabet is weak no matter how clever it looks; a long one drawn from a large pool is strong even if it reads plainly.
Just as important is how the randomness is produced. This generator uses the Web Crypto API (crypto.getRandomValues), a cryptographically secure random number generator built into your browser, with rejection sampling to eliminate modulo bias. That means every character and every word is chosen with genuinely uniform probability — not the predictable pseudo-randomness of Math.random().
Three ways to generate
- Random — a classic password mixing uppercase, lowercase, numbers, and symbols. The strongest option for a given length, and ideal when stored in a password manager.
- Memorable — a passphrase built from random common words (the "correct-horse-battery-staple" approach). Easier to type and recall, and very strong once you use four or more words.
- PIN — a numeric code for door locks, SIM cards, and devices that only accept digits.
How to use this tool
- Pick a mode at the top: Random, Memorable, or PIN.
- Adjust the length and toggle the character options. The password regenerates automatically as you change settings.
- Watch the strength meter — aim for at least 60–80 bits of entropy for important accounts.
- Click Copy to put it on your clipboard, or Regenerate for a fresh one.
Frequently Asked Questions
- Is this password generator safe?
- Yes. Everything runs entirely inside your browser using the Web Crypto API. Passwords are generated on your device, are never transmitted over the network, and are not logged or stored anywhere. You can even disconnect from the internet and it will keep working.
- How is this different from Math.random()?
- Math.random() is a pseudo-random generator not designed for security — its output can be predictable. This tool uses crypto.getRandomValues(), a cryptographically secure RNG, and applies rejection sampling so every character is selected with truly uniform probability and no modulo bias.
- How long should my password be?
- For accounts protected by a password manager, 16–20 random characters (or a 4–5 word passphrase) is plenty — well over 80 bits of entropy. For passwords you must type from memory, a memorable passphrase of 4+ words is a strong, practical choice.
- What is a passphrase and why use one?
- A passphrase is several random words joined together, like "maple-otter-cliff-amber". Because it is drawn from a large word list, four words already give strong entropy, yet it is far easier to read, type, and remember than a string of random symbols.
- What does the strength meter measure?
- It estimates entropy in bits — a measure of how many guesses an attacker would need on average. The crack-time figure assumes a fast offline attack at about 10 billion guesses per second; online services are usually far slower, so real-world safety margins are larger.
- Should I reuse passwords?
- Never. Reusing a password means one breached site exposes every account that shares it. Generate a unique password for each service and store them in a reputable password manager.