Password Generator & Strength Tester
Generate cryptographically secure passwords locally on the client using specific customizable parameters, paired with a feedback strength meter.
Interactive Client Prototype Sandbox
Disclaimer: This free tool is provided “as is,” without warranties of any kind, and is for general informational purposes only — not professional, legal, financial, medical, tax, or engineering advice. Results may contain errors; verify anything important independently and use at your own risk. We accept no liability for any loss or damage arising from its use. See our Terms of Use for details.
Step-by-Step Guide
Drag the length slider and tick the character types you want (uppercase, lowercase, numbers, symbols). A new password generates automatically; regenerate or copy with one click.
Length 16 with all types ➔ a password like 'k#8$zPq2!Ww1mXr7', rated high strength.
Who it's for
Security-conscious internet users, IT staff, sysadmins, and support specialists.
Core Features
- Cryptographically secure randomness via the browser's Web Crypto API.
- Set length from 6 to 64 and toggle uppercase, lowercase, numbers, and symbols.
- Live strength meter based on length and character variety.
- Generated locally — passwords are never sent anywhere.
🛡️ No tracking — your inputs, keys, and details never leave this client sandbox.
Is this password generator safe?
Yes. Passwords are created in your browser and never sent anywhere — there's no server, no logging, and nothing to intercept. You can disconnect from the internet and it still generates. For real accounts, copy the password straight into a password manager rather than saving it in plain text.
Are the passwords actually random?
They use the browser's Web Crypto API (crypto.getRandomValues), which is a cryptographically secure random source — not the weaker Math.random. Each character is drawn from the set of types you enabled, so the output is unpredictable.
What makes a strong password?
Length matters most — aim for 16 characters or more — combined with a mix of uppercase, lowercase, numbers, and symbols. More length and more character types raise the entropy, which is exactly what the strength meter reflects as you adjust the options.
How long should my password be?
16 characters with all four character types is a strong default for most accounts; go to 20+ for high-value logins. The tool lets you set any length from 6 to 64 — anything under 8 is flagged as too short.
Should I use a unique password for every account?
Yes. Reusing a password means one breach exposes every account that shares it. Generate a distinct password per site and store them in a password manager so you don't have to remember each one.
What is entropy and how does it relate to password strength?
Password entropy is a measure of unpredictability measured in bits. A password drawn from an alphabet of N characters with length L has approximately L × log2(N) bits of entropy. A 16-character password using all four character types (94 printable ASCII characters) has about 16 × log2(94) ≈ 105 bits of entropy — far beyond the reach of any brute-force attack with current hardware. By comparison, a 6-character all-lowercase password has only about 28 bits — trivially crackable in seconds.
What actually makes a password strong?
Why do security teams recommend 16-character random passwords over a memorable 8-character password with a capital letter and a number? The answer is in the math. Password strength is measured in bits of entropy — the logarithm (base 2) of the number of equally likely possibilities an attacker must try to guess it. A random 16-character password from a 94-character set has about 105 bits of entropy, meaning an attacker must try on average 2^104 ≈ 20 undecillion candidates. A predictable 8-character password following common patterns (capital first letter, number at the end) has far fewer than 8 × log2(94) ≈ 52.4 bits, because human-chosen passwords cluster around a tiny fraction of all possible combinations. Randomness matters as much as length.
How password entropy works
Entropy is calculated as L × log2(N), where L is the password length and N is the size of the character set it was drawn from. A 12-character password using lowercase letters only (26 characters) has 12 × log2(26) ≈ 56.5 bits of entropy. The same length with all four character types (uppercase + lowercase + digits + symbols = ~94 characters) has 12 × log2(94) ≈ 78.7 bits. Adding 4 characters to the length (to 16) at the same 94-character set reaches ≈ 105 bits. Each additional bit of entropy doubles the search space. The practical implication: length matters more than character diversity, but both matter.
What makes password hashes vulnerable
When websites store passwords, they should store a cryptographic hash of the password rather than the password itself. If the database is breached, attackers cannot immediately see passwords — but they can try to crack them by hashing candidate passwords and comparing. Modern GPU hardware can test billions of MD5 or SHA-1 hashes per second. This is why passwords must be hashed with slow, salted, purpose-built algorithms like bcrypt, scrypt, or Argon2 — a single bcrypt hash might take 100 milliseconds to compute, reducing an attacker to 10 guesses per second rather than billions.
The Web Crypto API for secure randomness
This generator uses window.crypto.getRandomValues() — the browser's cryptographically secure random number generator (CSPRNG). Unlike Math.random(), which is seeded from the system clock and can be predicted in some environments, getRandomValues() draws from hardware entropy sources and is suitable for generating passwords, tokens, and cryptographic keys. The output is genuinely unpredictable and cannot be reproduced even by the browser that generated it.
Password manager best practices
The ideal workflow is to generate a long, random, unique password with a tool like this one and immediately save it in a password manager (Bitwarden, 1Password, Dashlane, or the browser's built-in manager). Never write passwords on paper, store them in a plain text file, or reuse them across sites. With a password manager, you only need to remember one strong master password; everything else is generated and auto-filled.