Generate cryptographically strong passwords using crypto.getRandomValues() — never Math.random().
IT teams and security-conscious users creating unique passwords for every account.
Set your options
Choose the length and which character types to include — uppercase, lowercase, numbers, and symbols. More types and length means stronger.
Generate
A fresh password appears instantly, with its entropy in bits shown so you can see how strong it is. Regenerate until you are happy.
Copy and store
Click Copy and paste it into your password manager or the signup form. Never reuse it on another account.
Reused and guessable passwords are behind the majority of account breaches. The moment one site you use leaks its database, attackers try that same email-and-password combination everywhere else — so a single weak password can unlock your email, bank, and social accounts at once. The only real defence is a long, random, unique password for every account, which is impossible to invent in your head and tedious to type by hand. This generator creates them properly. It uses your browser’s cryptographic randomness — window.crypto.getRandomValues(), not the predictable Math.random() — so the output is genuinely unguessable, and it shows the entropy in bits as a live strength gauge. You control the length and whether to include uppercase, lowercase, numbers, and symbols. Everything happens on your device: the password is never sent over the network, logged, or stored anywhere, so it is safe to generate even for your most sensitive accounts. Generate, copy, and save it straight into your password manager.
Everyday account security
Create a unique strong password for every new signup so one leaked site can never compromise your other accounts.
IT & administrators
Generate strong temporary credentials for new user accounts, routers, databases, and shared systems.
Developers
Produce random secrets for environment variables, API keys, JWT signing keys, and webhook tokens.
Resetting after a breach
Quickly roll new passwords for every affected account when a service you use reports a data breach.
Wi-Fi & devices
Set a long, random password on your router or IoT devices that no one can guess or brute-force.
Yes. It uses window.crypto.getRandomValues(), the browser’s cryptographically secure random source — far safer than the predictable Math.random() many generators rely on.
No. Generation is 100% client-side. Nothing is transmitted, logged, or stored, so even passwords for sensitive accounts stay private.
16+ characters with mixed types is strong for everyday use. For high-value accounts, go 24+ characters.
It measures unpredictability — how hard the password is to brute-force. Roughly: 80+ bits is strong, 128+ bits is excellent.
Yes where the site allows them — they increase entropy. If a site rejects symbols, compensate with extra length.
You don’t — that’s the point. Store each one in a password manager and only memorise the single master password.
The odds of a collision at reasonable lengths are astronomically small, so each generated password is effectively unique.
Yes — completely free, no sign-up, and you can generate as many passwords as you want.