Overview
What this tool does
A strong password is the single biggest factor in account security. This generator builds them using the browser's cryptographic random number generator (the same source modern OS-level password tools use), so each output is genuinely unpredictable. Four modes are included: random characters (mix of upper, lower, digits, symbols), passphrases (four to seven dictionary words joined by separators, easier to type and remember), PIN (digits only, for codes that need to be entered on a numeric pad), and pronounceable (consonant-vowel patterns that read like real words but aren't). Every generated password shows its bit entropy and an estimated crack time so you can pick a length that matches the risk. Useful for everyday account creation, for Wi-Fi codes, for shared team secrets that you'll store in a password manager.
How to
Use it in 3 steps
- Pick a mode: random characters, passphrase, PIN, or pronounceable.
- Adjust the length. Entropy and crack time update as you change it.
- For random characters, toggle which character classes are included (upper, lower, digits, symbols).
- Click generate. The password appears in the output field. Click again for a new one.
- Copy to clipboard, or paste it straight into the account creation form on the next page.
FAQ
Frequently asked questions
▶Is the password generated on your server?
No. The randomness comes from your browser's crypto.getRandomValues, which is backed by your operating system's secure RNG. The password is generated on your device and never transmitted.
▶How long should my password be?
For most accounts, 16 random characters or a 5-word passphrase is more than enough (~80+ bits of entropy, billions of years to crack at current hardware). For high-value accounts (banking, primary email, password manager master), go to 20+ characters or 6 words.
▶Why use a passphrase instead of random characters?
Passphrases are dramatically easier to type and remember while providing equivalent entropy if long enough. A 5-word passphrase is about as strong as a 15-character random password, and you can actually type it without a manager.
▶Should I check if my password has been breached?
Yes, before reusing one. The breach check uses the k-anonymity API from Have I Been Pwned: only the first 5 characters of the SHA-1 hash are sent, never the password itself. If the password appears in a known breach, regenerate.