Tools
Password Generator
Roll a fresh password with the character sets you want. Everything happens in your browser using the Web Crypto API — passwords never leave your device.
About the password generator
This password generator builds random passwords from the character sets you choose — uppercase and lowercase letters, digits, and a configurable set of symbols — at any length you set. Everything runs in your browser; the password is never sent over the network, logged, or stored.
Randomness comes from the Web Crypto API (crypto.getRandomValues), a cryptographically secure random number generator, rather than Math.random(). That distinction matters: Math.random() is fast but predictable and must never be used for anything security-sensitive, whereas getRandomValues is designed to be unguessable, which is exactly what a password needs.
A password’s real strength is its entropy — roughly, how many equally likely possibilities an attacker has to try. Entropy grows with both length and the size of the character set, but length is the bigger lever. Sixteen characters drawn from a mixed set is a sensible default for accounts that matter; go longer for anything you only type rarely or store in a manager.
How it works under the hood
The same approach the tool uses, in a few lines you can drop into any JavaScript project:
const charset =
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*";
const length = 16;
const bytes = crypto.getRandomValues(new Uint8Array(length));
const password = Array.from(bytes, (b) => charset[b % charset.length]).join("");
console.log(password); // e.g. "M0Th%Wv(JA2lUDeg"crypto.getRandomValues fills a typed array with secure random bytes; mapping each byte into the character set yields the password. (A small modulo bias exists when the charset length isn’t a power of two — negligible for password use, but worth rejection-sampling if you need perfectly uniform output.)
// ❌ Predictable — Math.random() is NOT cryptographically secure
const weak = Math.random().toString(36).slice(2);Math.random() is fine for shuffling a UI or picking a demo color, never for passwords, tokens, or keys.
Frequently asked questions
Are the generated passwords sent anywhere?
No. Generation happens entirely in your browser using the Web Crypto API. Nothing is transmitted over the network, stored, or logged — close the tab and the password is gone.
How long should my password be?
16 characters from a mixed character set is a strong default for important accounts. For passwords you store in a manager and rarely type, 20–32 characters adds a comfortable margin at no real cost.
Why use this instead of Math.random()?
Math.random() is predictable and can be reverse-engineered, which makes it unsafe for anything security-related. This tool uses crypto.getRandomValues, a cryptographically secure generator built for exactly this purpose.
Should I include symbols?
Yes, when the site allows them — symbols enlarge the character set and raise entropy. If a site rejects certain symbols, turn them off here and add a couple of extra characters of length to compensate.