Tinker Tools

Password Generator Secure

Generate cryptographically secure random passwords. All processing is done locally in your browser—your passwords never leave your device.

Generated Passwords1 password
37&GWcNgc]kcHi1=
Strong

How it works

1. Configure Options

Set your desired password length (8-128 characters) and choose which character types to include: uppercase, lowercase, numbers, and special characters.

Fully Customizable

2. Secure Generation

Passwords are generated using the Web Crypto API (crypto.getRandomValues), providing true cryptographic randomness directly in your browser.

Crypto Secure

3. Copy & Use

Review the strength indicator, then copy individual passwords or all at once. Nothing is stored—close the tab and they are gone forever.

Zero Storage

What is a Password Generator?

A password generator creates random strings of characters that are designed to be hard for both humans and machines to guess. The goal is to produce passwords with high entropy -- a measure of unpredictability expressed in bits. Entropy is calculated as log2(charset^length), where charset is the number of possible characters and length is how many characters the password contains. A 12-character password drawn from a 95-character set (all printable ASCII) has about 78.8 bits of entropy. That means an attacker trying random combinations would need to check an average of 2^77.8 possibilities before finding the right one. At a billion guesses per second, that takes roughly 4.8 billion years. The math is what makes generated passwords work.

Humans are terrible at creating random passwords. Study after study confirms this. People reuse passwords across sites, pick dictionary words, substitute letters with predictable numbers (@ for a, 3 for e, 0 for o), and gravitate toward patterns on the keyboard like qwerty or 1qaz2wsx. Password cracking tools know all of these tricks. Hashcat and John the Ripper ship with rule sets that apply thousands of common substitutions and patterns to dictionary words, cracking most human-chosen passwords in seconds. A password generator removes human bias from the equation entirely. Every character position is filled by a cryptographically secure random number generator, which means no patterns, no dictionary words, and no predictable substitutions.

The importance of password generation has grown alongside the number of accounts the average person manages. Security researchers estimate that number at somewhere between 70 and 100 online accounts per person. Reusing the same password across even a fraction of those accounts means that a single data breach exposes all of them. Credential stuffing attacks -- where attackers take leaked username-password pairs and try them on other services -- succeed precisely because people reuse passwords. A unique, randomly generated password for every account eliminates this entire attack vector. Paired with a password manager that remembers them all, generated passwords are the baseline of modern personal security.

Key Features and Benefits

  • Cryptographically Secure Randomness The generator uses a CSPRNG -- a Cryptographically Secure Pseudo-Random Number Generator -- to select each character. In the browser, this means the Web Crypto API's crypto.getRandomValues() method, which draws from the operating system's entropy pool (CryptGenRandom on Windows, /dev/urandom on Linux and macOS). Unlike Math.random(), which uses a deterministic PRNG that can be predicted if you know the seed, a CSPRNG produces output that is computationally indistinguishable from true randomness. This is the same source of randomness used to generate TLS session keys.
  • Configurable Character Sets Choose which character categories to include: uppercase letters (A-Z, 26 characters), lowercase letters (a-z, 26 characters), digits (0-9, 10 characters), and special symbols (!@#$%^&* and others, typically 32 characters). The full printable ASCII set gives you 94 or 95 characters depending on whether you count the space. Each additional character category increases the charset size and therefore the entropy per character. A 16-character password using only lowercase letters has about 75.2 bits of entropy. Add uppercase, digits, and symbols, and the same length jumps to about 105 bits.
  • Entropy Calculation Display The tool shows you the exact entropy of your generated password in bits. This is not a vague strength meter with colored bars -- it is the actual mathematical value computed from log2(charset^length). You can see precisely how changing the length or character set affects the strength. Anything above 60 bits is resistant to online brute force attacks with rate limiting. Above 80 bits is resistant to offline attacks against fast hashes like MD5 or SHA-1. Above 100 bits is resistant to offline attacks even against unsalted hashes on powerful GPU clusters.
  • Passphrase Generation Mode Instead of a random character string, you can generate a passphrase -- a sequence of random words separated by spaces or hyphens. The diceware method is the most well-known approach: roll five dice to select a word from a list of 7,776 entries, repeat for each word in the passphrase. Each word adds about 12.9 bits of entropy (log2(7776)). A six-word diceware passphrase has about 77.5 bits of entropy and looks something like correct-horse-battery-staple-widget-flame. Passphrases are easier to type and remember while maintaining strong security properties.
  • Exclusion Rules Some systems reject passwords containing certain characters -- curly braces break some shell scripts, backslashes cause escaping issues in certain databases, and spaces are disallowed by more login forms than you would expect. The generator lets you exclude specific characters or character types to produce passwords that meet whatever arbitrary constraints a particular service imposes. You lose some entropy when you shrink the character set, but the tool recalculates and shows you the updated value immediately.
  • Batch Generation Generate multiple passwords at once for situations where you need to provision several accounts, create a set of API keys, or prepare temporary credentials for a team. Each password in the batch is independently generated from the CSPRNG, so knowing one reveals nothing about the others. The batch output can be copied as a list or exported for integration with provisioning scripts and configuration management tools.

How to Generate a Strong Password

  1. 1

    Set the Password Length

    Start by choosing a length. The NIST SP 800-63B guidelines -- the current standard for digital identity authentication published by the National Institute of Standards and Technology -- recommend a minimum of 8 characters for user-chosen passwords but suggest that services should allow passwords up to at least 64 characters. For generated passwords, 16 characters is a practical minimum that provides strong security across all character set configurations. If you are generating a master password for a password manager or an encryption key passphrase, go longer -- 20 to 24 characters. The computational cost of adding characters is zero for a generator but exponential for an attacker.

  2. 2

    Select Your Character Set

    Enable the character categories your target system accepts. For maximum entropy per character, include all four categories: uppercase, lowercase, digits, and symbols. If a service restricts which special characters are allowed -- and many do, frustratingly -- deselect the full symbols set and manually specify which ones are permitted. The tool adjusts the entropy calculation in real time as you toggle categories. A common minimum for corporate password policies is three out of four categories at 12 or more characters, which provides roughly 71 to 78 bits of entropy depending on which three categories you pick.

  3. 3

    Generate the Password

    Click the generate button. The CSPRNG selects each character independently from the enabled character set with uniform probability. The generated password appears in the output field along with its entropy value in bits. If the result does not look right -- maybe it happens to contain a confusing sequence like 1lI or 0O -- generate again. Each generation is completely independent, so clicking the button ten times gives you ten unrelated passwords. Statistically, some generated passwords will contain recognizable patterns by pure chance. This does not make them weak. Entropy is a property of the generation process, not the specific output.

  4. 4

    Store the Password in a Manager

    Copy the generated password and save it in a password manager -- KeePass, Bitwarden, 1Password, or whatever you trust. Do not write it on a sticky note. Do not save it in a plain text file on your desktop. Do not email it to yourself. A password manager encrypts your vault with a master password (or passphrase) and provides autofill so you never have to type the generated password manually. The entire point of using a generator is that the passwords are too complex to memorize, and a manager makes that a non-issue.

  5. 5

    Test the Password on the Target Service

    Paste the generated password into the registration or password-change form of the service you are securing. Some services silently truncate passwords beyond a certain length -- a 64-character password might be stored as only the first 20 characters without any warning. After setting the password, log out and log back in to confirm it works. If the service rejects the password because of character restrictions you did not know about, go back to the generator, adjust the character set, and try again. Save the final working password in your manager, overwriting the previous entry if needed.

Expert Tips for Password Generation

Stop thinking about password strength in terms of complexity rules and start thinking in bits of entropy. The old advice -- must contain uppercase, lowercase, number, and symbol -- is security theater when applied to short passwords. P@ssw0rd1! satisfies every complexity rule and gets cracked in under a second because it is a dictionary word with predictable substitutions. Meanwhile, a 20-character lowercase-only random string like qfxmtvbrjkwpzhdnscya has about 94 bits of entropy and would take centuries to brute force. Length beats complexity every time, and entropy is the single metric that captures both. When a service demands complexity rules with a short maximum length -- say, 8 to 12 characters with all four categories required -- that service has a fundamentally flawed password policy, but you have to work within its constraints. Generate the strongest password the system allows and move on.

Understand why CSPRNG matters. A standard PRNG like the Mersenne Twister used by Math.random() in most JavaScript engines produces output that looks random but is entirely deterministic given the internal state. If an attacker can observe enough outputs -- as few as 624 consecutive 32-bit values for Mersenne Twister -- they can reconstruct the internal state and predict every future output. That means every future password you generate becomes predictable. A CSPRNG resists this because it continuously mixes in fresh entropy from hardware sources -- keyboard timing, mouse movement, disk I/O timing, CPU thermal noise. Even if an attacker observes past outputs, they cannot predict future ones. For password generation, this is not a theoretical concern. Use crypto.getRandomValues() in the browser, os.urandom() in Python, or SecureRandom in Java. Never use Math.random(), random.random(), or any unseeded PRNG for security-sensitive randomness.

Diceware passphrases deserve more attention than they get. The standard diceware word list contains 7,776 words, each selected by rolling five six-sided dice. A four-word passphrase has about 51.7 bits of entropy -- roughly equivalent to a random 8-character password from the full ASCII set. Five words give you 64.6 bits, six words give you 77.5 bits, and seven words give you 90.4 bits. The advantage is memorability: planet-hammer-ocean-bicycle is far easier to remember and type than x7#Kp!mQ2$vR. Diceware was designed by Arnold Reinhold in 1995 and has held up because the math is simple and the word lists are public. The EFF published improved word lists in 2016 with longer, more distinguishable words that reduce typing errors. If you need a password you can actually type from memory -- your master password, your disk encryption passphrase, your laptop login -- a six-word or seven-word diceware passphrase is the right approach.

Never generate passwords on a compromised machine, and assume that shared or public computers may be compromised. A keylogger or clipboard monitor captures your generated password the moment it appears on screen, regardless of its entropy. Generate passwords only on devices you control and trust. If you suspect your machine might be compromised -- unusual slowness, unexpected network activity, antivirus alerts -- generate your passwords on a different device. For the highest assurance, generate critical passwords on an air-gapped machine or use a hardware password manager that generates and stores credentials entirely within a tamper-resistant chip. This level of caution is excessive for most people, but for system administrators managing root credentials or encryption keys protecting sensitive data, it is appropriate due diligence.

Related Tools

Password generation is the starting point of a security workflow that extends through storage, transmission, and verification. After generating a strong password, you might hash it with bcrypt or Argon2 before storing it in a database -- never store passwords in plain text. You might generate UUID-based API tokens for service authentication where passwords are not appropriate. And you might Base64-encode credentials for inclusion in HTTP Basic Auth headers or configuration files that require text-safe encoding. Each tool handles one piece of the puzzle, and using them together gives you a complete approach to credential management.

Frequently Asked Questions

Recommended Tools