Password Generator

How to Use

① Set your desired length in the input field (8–128 characters; default is 16). ② Toggle the character types you want: uppercase, lowercase, digits, and symbols can each be switched on or off. ③ Click "Generate" — your password appears instantly. Click "Regenerate" any time to get a fresh one.

Common use cases: for email account setup or social media registration, 16 characters with all types enabled is a strong default. For services that don't allow symbols (some banking portals, legacy systems), turn symbols off and increase the length to compensate. For Wi-Fi network passwords, 20+ characters with symbols is recommended. Developers can generate up to 128 characters for staging environment credentials or SSH key passphrases. When setting up accounts for family members, generate a unique password for each service rather than reusing one.

Why Web Crypto API Instead of Math.random?

The security of any browser-based password generator hinges on how random numbers are produced. JavaScript's built-in Math.random() is a pseudorandom number generator (PRNG) whose internal state can be predicted, making it unsuitable for security-sensitive tasks. The ECMAScript specification itself does not guarantee cryptographic strength for Math.random().

This tool uses crypto.getRandomValues() exclusively — a function defined in the W3C Web Cryptography API (https://www.w3.org/TR/WebCryptoAPI/) that draws from the operating system's entropy source (e.g., /dev/urandom on Linux). This is the same underlying mechanism used in password managers and security-focused applications, and produces values that are computationally infeasible to predict.

Additionally, when picking characters from the pool, we apply rejection sampling to eliminate modulo bias — any random byte that falls above the largest multiple of the pool size is discarded and a new one is drawn. This ensures every character has an exactly equal chance of being selected.

Character Types and Password Entropy

Password strength depends not just on length but on how many distinct characters are in play. For 16 characters, here is how the pool size affects entropy: digits only (10 chars): ≈53 bits; lowercase letters only (26 chars): ≈75 bits; uppercase + lowercase + digits (62 chars): ≈95 bits; all types including symbols (95 chars): ≈105 bits.

NIST SP 800-63B Rev.4 recommends a minimum of 8 characters with MFA and 15 characters for single-factor authentication. The default setting in this tool (all types on, 16 characters) yields roughly 105 bits of entropy, well above those thresholds. If a service prohibits symbols, increasing length is the best way to recover the lost entropy — 20 characters of uppercase + lowercase + digits gives about 119 bits, stronger than a 16-character all-types password. Always prioritize the constraints of the target service over maximizing entropy.

How the Algorithm Works

① Build a character pool by concatenating all enabled character sets. ② Draw one character from each enabled set — this guarantees every selected type appears at least once (pure random selection has a non-zero chance of missing a category entirely). ③ Fill the remainder of the password length by drawing from the full pool at random. ④ Shuffle the combined array using Fisher-Yates (Knuth/Durstenfeld) — this eliminates any positional bias, so required characters don't always land at the beginning. ⑤ Join and return.

Your password disappears when you close the browser. To keep it safe, store it in a password manager such as 1Password, Bitwarden, or your browser's built-in password manager. Avoid saving passwords in plain-text files or spreadsheets.

FAQ

Is the generated password sent to any server?

No. All processing happens entirely in your browser via JavaScript. No data — including the password itself — leaves your device. To verify this yourself, open your browser's developer tools (F12), go to the Network tab, and generate a password. You'll see that no network request is made.

Is this actually secure? How is it different from Math.random?

Yes, it is secure. Math.random() is a predictable pseudorandom generator not suited for cryptographic use. This tool relies solely on crypto.getRandomValues(), which is seeded by the OS entropy source and is the same class of random number generator used in professional password managers and security tools. It conforms to the W3C Web Cryptography API specification.

Can I generate a password without symbols? Some sites don't allow them.

Yes — just toggle "Symbols" off. Symbols-free passwords can still be very strong if you increase the length. For example, 20 characters of uppercase + lowercase + digits gives about 119 bits of entropy, which is stronger than a 16-character all-types password.

Where should I store the password after generating it?

This tool does not store passwords. Save your password in a dedicated password manager — 1Password, Bitwarden, Google Password Manager (built into Chrome), or Apple Keychain are all solid options. Avoid plain-text files, sticky notes, or spreadsheets, and never reuse the same password across multiple services.

Why can't I turn off the last character type?

At least one character type must be active to generate a password. The tool prevents you from disabling the last remaining type. For example, if you want a PIN-style numeric-only string, disable uppercase, lowercase, and symbols — only digits will remain active, and the toggle for digits will be locked in the on position.