🎲 Password Generator

Cryptographically secure β€’ Runs in your browser β€’ Never transmitted

Generated
β€”
β€”
β€”
20
8 32 64 128
Character sets
Uppercase A B C … Z
Lowercase a b c … z
Numbers 0 1 2 … 9
Symbols ! @ # $ % ^ &
Exclude ambiguous 0 O l 1 I
Exclude similar { } [ ] ( ) / \

Why This Generator Is Different

Cryptographically secure randomness

Most password generators use Math.random() β€” a pseudo-random function that is predictable with enough data. This generator uses the crypto.getRandomValues() API, the same cryptographic randomness used by operating systems for key generation. It is not predictable, not reproducible, and not influenced by the time of day or any observable state.

Why 20 characters is the new baseline

In 2024, consumer GPUs can test over 100 billion MD5 password hashes per second. An 8-character password with full charset falls in under an hour. A 12-character password falls in weeks. At 20 characters, brute force becomes computationally infeasible for any attacker without nation-state resources β€” we're talking millions of years even with future hardware improvements.

The NIST SP 800-63B guidelines (updated 2024) now explicitly recommend length over complexity, and remove mandatory rotation policies that were previously thought to improve security but actually caused users to make predictable incremental changes.

Passphrases β€” stronger than they look

Five random common words create a password with roughly 65+ bits of entropy β€” more than most 12-character random passwords. They're also far easier to type and memorise. The key word is random: a passphrase like "correct-horse-battery-staple" (from XKCD 936) is strong precisely because the words were chosen randomly, not because they form a clever phrase you invented. Invented phrases have patterns that attackers can model.

What "exclude ambiguous" actually protects

Characters like 0 vs O, l vs 1 vs I look identical in many fonts. Excluding them has zero security cost (the charset loss is negligible at 20+ characters) but eliminates transcription errors when reading a password off a screen. Recommended whenever you might need to type the password manually.

Your passwords never leave this page

Generation runs entirely in your browser using JavaScript and the Web Crypto API. No network requests are made. No passwords are logged, transmitted, or stored anywhere β€” including by us. You can verify this by disconnecting from the internet and generating passwords: it works identically.