🔐 Free Strong Password Generator

Generate strong, random passwords instantly. Customize length (up to 128 chars), character sets. Uses Web Crypto API. 100% free, no signup, no server.

Generate passwords up to 128 characters with any combination of uppercase, lowercase, numbers, and symbols. Passwords are generated using your browser's Web Crypto API — they never touch a server. No account required, completely free.

Password Length

Character Types

Uppercase A–Z Lowercase a–z Numbers 0–9 Symbols !@#$%^&*

Exclude similar (I,l,1,O,0,|)

Count:

How to Use

Configure options

Set your desired length with the slider and choose which character types to include.

Click Generate

Press Generate (or adjust any option) to instantly create cryptographically secure passwords.

Copy and use

Click the copy button next to any password. Use Copy All to copy multiple passwords at once.

Frequently Asked Questions

Are the generated passwords stored anywhere? +

No. Passwords are generated using your browser's built-in cryptographic random number generator (crypto.getRandomValues) and never leave your device.

How strong is a 16-character password with all character types? +

A 16-character password using uppercase, lowercase, numbers, and symbols has approximately 95^16 ≈ 4.4 × 10^31 possible combinations — effectively impossible to brute force with current technology.

What makes a password secure? +

Length (16+ characters), variety (uppercase, lowercase, numbers, symbols), uniqueness (never reuse), and randomness (not based on words or patterns).

Why exclude similar characters like I, l, 1, O, 0? +

These characters look identical in many fonts and can cause confusion when copying passwords manually. Excluding them prevents copy errors without significantly reducing security.

How many characters should my password have? +

Security experts recommend at least 16 characters for most accounts. For critical accounts (banking, email), use 20+ characters. Our generator supports up to 128 characters.

Complete Guide: Password Generator

What Makes a Password Truly Secure

A password's strength is measured by its entropy — the number of bits of randomness an attacker must search through. A 16-character password using all character types (uppercase, lowercase, digits, symbols — 95 possible characters per position) has approximately 95¹⁶ ≈ 4.4 × 10³¹ possible combinations. Even at a trillion guesses per second, that takes longer than the age of the universe to exhaust.

NIST Special Publication 800-63B (the current U.S. federal guideline) recommends at least 15 characters for memorized secrets and rejects the old advice of mandatory complexity rules (e.g., "must contain a capital letter and a symbol"), because those rules push users toward predictable patterns like Password1! rather than genuine randomness.

The critical implementation detail: this tool uses crypto.getRandomValues() — the browser's cryptographically secure pseudorandom number generator (CSPRNG), not Math.random(). The difference matters enormously. Math.random() is seeded from a low-entropy source and is predictable. crypto.getRandomValues() pulls from the operating system's entropy pool (hardware events, timing jitter) and is suitable for cryptographic use. Every generated password is 100% local — nothing is sent to any server.

How to Use the Password Generator

Set the length — use the slider. 16 characters minimum for most accounts, 20+ for email and banking.
Select character sets — enable uppercase (A–Z), lowercase (a–z), numbers (0–9), and symbols. More character sets = exponentially stronger passwords.
Optionally exclude similar characters — hides I l 1 O 0 to prevent copy mistakes when reading passwords aloud or writing them down.
Set quantity — generate 1–20 passwords at once. Useful when setting up multiple accounts in bulk.
Click Generate — then copy each password individually or use Copy All.

Code Examples

// Browser: generate a cryptographically secure password
function generatePassword(length = 20, chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*') {
  const arr = new Uint8Array(length);
  crypto.getRandomValues(arr);
  return Array.from(arr, n => chars[n % chars.length]).join('');
}

// Node.js: generate a URL-safe random token (for API keys, CSRF tokens)
import { randomBytes } from 'crypto';
const token = randomBytes(32).toString('base64url'); // 43 chars, URL-safe

// Diceware passphrase: 6 words = ~77 bits of entropy, easier to memorize
// Example (not truly random here, for illustration only):
// "correct-horse-battery-staple-purple-river"
// Use a proper wordlist (EFF large wordlist: 7776 words) for real use

Common Mistakes to Avoid

Using Math.random() — It is not cryptographically secure. Attackers with enough output samples can predict future values.
Predictable patterns — Substitutions like P@ssw0rd! are in every cracking dictionary. A 10-character "complex" password is weaker than a 20-character random lowercase string.
Reusing passwords — When one service gets breached (it's when, not if), credential stuffing attacks try the leaked password on every other service. Use a unique password per account.
Storing passwords in plaintext or spreadsheets — Use a password manager (1Password, Bitwarden, KeePass). The only password you need to memorize is the manager's master password.
Short passwords for "low-risk" accounts — Secondary email accounts, old forums, and utility apps are often used for account recovery or 2FA. A breach there can cascade.
Mandatory rotation without reason — NIST now recommends against routine periodic password changes. Change when there's evidence of compromise, not on a schedule.

Comparison with Alternatives

Password managers (1Password, Bitwarden) have built-in generators and store the result — the complete solution for most users. Diceware passphrases generate memorable multi-word phrases with high entropy — ideal for master passwords or anything you need to type without copy-paste. Hardware security keys (YubiKey) eliminate passwords entirely for supported services. This tool is useful when you need a password quickly on any device, when you're setting up access that doesn't warrant a full password manager, or when you need to generate many passwords in bulk.

For storing hashed passwords in a database (never store plaintext), see the Hash Generator — though for password storage specifically, use bcrypt or Argon2 via a server-side library, not raw SHA.

Pro Tips

Master password strategy: Use a 6+ word Diceware passphrase for your password manager master password — it's both high-entropy and memorizable.
Entropy calculation: bits = log₂(charset_size^length) = length × log₂(charset_size). For 95-char set, that's length × 6.57 bits. 16 chars = 105 bits — overkill for most attacks.
API keys and tokens: For server-side secrets (API keys, CSRF tokens, session IDs), use 32 bytes (256 bits) of cryptographic random data encoded as hex or Base64url.
Account recovery: Generate a strong recovery code, print it, and store it physically. Recovery codes are often weaker than primary passwords.