Secure Password Generator
Generate cryptographically strong passwords entirely in your browser. Powered by the Web Crypto API with rejection sampling — no data ever leaves your device.
Vulnerable to clustered offline attacks.
Configuration
Password Analytics
Character Distribution
Entropy Formula
Each additional bit doubles the search space an attacker must traverse.
How This Password Generator Works
This tool generates passwords using the Web Crypto API's crypto.getRandomValues(). Unlike Math.random(), which is predictable and reversible, the Web Crypto API provides cryptographically secure pseudorandom values suitable for generating passwords and cryptographic keys. These values are sourced from your operating system's cryptographically secure random number generator, which is seeded using high-quality entropy sources provided by the operating system and hardware.
Why Not Math.random()?
JavaScript's Math.random() is designed for simulations and general programming, not security. Its internal state can often be predicted after observing enough outputs, making it unsuitable for password generation. This tool exclusively uses the Web Crypto API, which is specifically designed for cryptographic applications.
Rejection Sampling
When converting a random byte (0–255) to a character pool index, a naive modulo operation introduces statistical bias because 256 is rarely evenly divisible by the pool size. This generator uses rejection sampling: any random byte that falls in the biased remainder range is discarded and a new byte is drawn, guaranteeing a perfectly uniform distribution across all characters.
Full-String Rejection
Rather than forcing specific character types into fixed positions (which creates exploitable patterns), the generator draws every character uniformly from the combined pool. If the result doesn't contain all required character classes, the entire string is discarded and regenerated from scratch. This preserves uniform probability across the valid keyspace.
Entropy and Password Length
Entropy measures unpredictability in bits. A 20-character password from a 71-character pool delivers approximately 123 bits of entropy — far beyond the practical limits of brute-force attacks even with modern GPU clusters. Depending on the hashing algorithm, fast hashes such as NTLM can be tested at billions of guesses per second, while modern password hashing algorithms such as Argon2id and bcrypt dramatically reduce attack speeds. Passwords exceeding approximately 128 bits of entropy are generally considered beyond practical brute-force attacks with current computing capabilities.
Ambiguous Character Exclusion
Characters like uppercase I, lowercase l, digit 1, uppercase O, and digit 0 look identical in many fonts. Excluding them costs less than 4 bits of entropy over a 20-character password but eliminates transcription errors when entering passwords on TVs, consoles, or mobile devices.
User Word Injection
When you include a memorable word, the letters are randomly interspersed throughout the generated string rather than appended. This shatters dictionary patterns that automated cracking tools exploit. The injected characters are highlighted in green so you can see exactly where they landed. The generator treats the user word as known plaintext and compensates by ensuring the random portion alone meets the entropy threshold. The supplied word itself contributes no entropy because it is assumed to be known by an attacker. Only the randomly generated characters are counted toward the displayed entropy.
Zero-Network Privacy
This tool runs entirely in your browser tab. No passwords are transmitted over the network, stored in any database, saved to localStorage, or logged by analytics. When supported by your browser, the clipboard is automatically cleared after 30 seconds. When you close the tab, every generated password is permanently gone.