Password Generator
Generate cryptographically secure random passwords with customizable length and character sets.
How This Password Generator Works
This tool generates passwords using crypto.getRandomValues(), the Web Crypto API's cryptographically secure pseudorandom number generator. Unlike Math.random(), which uses a deterministic algorithm seeded by system time and is predictable in some JavaScript engines, crypto.getRandomValues() draws entropy from the operating system's CSPRNG (such as /dev/urandom on Linux or CryptGenRandom on Windows). The output is suitable for security-sensitive applications including password generation, token creation, and cryptographic key material.
The generator uses rejection sampling to eliminate modulo bias. When mapping random bytes (0-255) to a character set of arbitrary size, a naive modulo operation would slightly favor certain characters. Rejection sampling discards random bytes that would introduce this bias, ensuring each character in the set has an exactly equal probability of being selected. This is the same approach used in production cryptographic libraries.
Entropy is calculated as log2(charset_size ^ length), representing the number of bits of randomness in the generated password. A 16-character password drawn from the full 92-character set (uppercase + lowercase + digits + symbols) yields approximately 105 bits of entropy. For context, 80 bits is generally considered strong enough for most purposes, while 128 bits provides a substantial margin against foreseeable advances in computing power, including theoretical quantum computing attacks on symmetric key systems.
Frequently Asked Questions
Is this password generator secure?
Yes. This tool uses crypto.getRandomValues(), a cryptographically secure pseudorandom number generator (CSPRNG) built into every modern browser. The entire process runs client-side in your browser. No passwords are sent to any server, stored in cookies, or saved in your browser history.
What is password entropy?
Entropy measures the randomness of a password in bits. It is calculated as log2(charset_size ^ length), where charset_size is the number of possible characters and length is the password length. A password with 128+ bits of entropy is considered very strong. Each additional bit doubles the number of possible combinations an attacker must try.
How long should my password be?
NIST Special Publication 800-63B recommends passwords of at least 8 characters, but security professionals generally suggest 16 or more characters. Longer passwords exponentially increase the search space. A 16-character password using uppercase, lowercase, digits, and symbols has over 100 bits of entropy, making brute-force attacks infeasible with current technology.
Why avoid ambiguous characters?
Characters like lowercase L (l), uppercase I (I), digit 1 (1), uppercase O (O), lowercase o (o), and digit 0 (0) look nearly identical in many monospace and sans-serif fonts. When you need to manually type or read a password aloud, excluding these characters reduces transcription errors.
Should I use a password manager?
Yes. A password manager like KeePassXC, Bitwarden, or 1Password stores your passwords in an encrypted vault so you only need to remember one master password. This lets you use unique, long, random passwords for every account without memorizing them. Combined with a generator like this one, a password manager is the most practical approach to strong security.