ToolBelt

Password Generator

Generate strong, cryptographically-random passwords.

Open tool

Overview

The password generator produces strong, cryptographically random passwords of any length and character mix. Toggle uppercase, lowercase, digits, and symbols, set a length, and the tool emits a fresh password drawn from the browser's secure RNG.

It is the everyday tool for anyone setting up a new account, rotating an old credential, or seeding a service-account password into a vault. Engineers, sysadmins, and ordinary users alike benefit from a strong password generator that does not call home, does not log requests, and does not subtly bias the character pool.

How it works

Strong password generation has one rule: use a cryptographically secure random source and sample uniformly across the chosen character set. The tool reads bytes from crypto.getRandomValues, the browser's CSPRNG, and rejects bytes that would skew the distribution (a technique sometimes called "rejection sampling") so each character has exactly equal probability of being selected. Entropy per character is log2(alphabet_size) bits — 26 lowercase letters give 4.7 bits each, 94 printable ASCII characters give 6.55 bits each. A 16-character password from the full printable alphabet carries roughly 105 bits of entropy, well above the threshold for any feasible brute-force attack.

Optional rules — minimum digits, minimum symbols, avoid look-alikes (0/O/l/1/I) — are applied as constraints, with the generator resampling until the rules are satisfied.

Examples

Length: 16, all sets enabled
Output: 4#mB7zQ!pL2vR@8s

Length: 20, lowercase + digits only
Output: k7mr4qp2x9wzj5tn8bcv

Length: 32, all sets, avoid look-alikes
Output: K2m@T8r#qP5y9z!hN4WjbX$cFvR7gM

Length: 12, words/Diceware mode
Output: river-mango-spruce-violin

FAQ

How long should my password be?

For an account behind a properly hashed login (Argon2, Bcrypt) 14–16 mixed characters is plenty. For something protecting a vault or an SSH key, push to 20+. Length beats character-class complexity at equal entropy.

Are special characters worth the hassle?

They add entropy per character but break some legacy systems that strip or normalize them. If you can use them, do; if you cannot, just add more letters and digits to reach the same entropy.

Is Math.random ever OK?

No. Math.random is predictable enough that a determined attacker can recover the seed from a few outputs. Always use crypto.getRandomValues (or equivalent) for security-relevant randomness.

Should I avoid look-alike characters?

Only if the password needs to be read aloud or typed from a printed sheet. For copy-paste use, leaving them in adds a small amount of entropy.

Try Password Generator

An unhandled error has occurred. Reload ×