🔒 Security Tools

Password Generator

Generate cryptographically secure passwords using crypto.getRandomValues. Three modes: random password, passphrase (word-based), pronounceable. Entropy score, crack time estimate, bulk generation and ambiguous character exclusion.

crypto.getRandomValues — true CSPRNG Passphrase + pronounceable modes Entropy score & crack time Bulk generate up to 20
AdSense — 728×90 Leaderboard

Password Generator Tool

Mode
Character sets
Options
Presets
Click Generate to create a password
🔒 100% client-side — your passwords never leave your browser
Generated using crypto.getRandomValues — the browser’s cryptographically secure pseudorandom number generator (CSPRNG). No data is sent to any server, logged or stored.
AdSense — 728×90 Leaderboard
🔒
Need to hash a password before storing it?
The free Hash Generator computes SHA-256, SHA-512, MD5 and SHA-3 simultaneously. HMAC mode and hash comparison for verifying values. Never store passwords as plain SHA-256 — use bcrypt, Argon2 or scrypt in production.
🔒 Hash Generator →
⭐ User Ratings

Rate this tool

4.9
Based on 84,291 ratings
5
77,548
4
4,215
3
1,686
2
421
1
421
Was this password generator helpful?
Thank you for your rating!
Features

Passphrase mode, pronounceable mode, entropy score — what most password generators skip

Most online password generators give you one mode with an uppercase/lowercase/symbols checkbox. This tool adds three distinct modes, a real entropy score with crack-time estimate, bulk generation for setting up multiple accounts, and NIST-compliant preset options.

🔐
Cryptographically secure
Uses crypto.getRandomValues — the browser’s hardware-backed CSPRNG. Rejection sampling eliminates modulo bias so every character in the charset is equally likely. Your passwords never leave your device.
💬
Passphrase mode
Generates random-word passphrases (e.g. “correct-horse-battery-staple”) from a 2,048-word list. A 4-word passphrase has ~44 bits of entropy — more memorable than random character strings, easier to type on mobile, and harder to crack than a 10-character random password.
👄
Pronounceable mode
Alternates consonants and vowels to create passwords that sound like words (e.g. “Xivake-Poru8”). Easier to read aloud for phone verification, fewer typing mistakes than fully random strings. Optional mixed case, digits and symbols. Absent on most free generators.
📊
Entropy score & crack time
Displays entropy in bits (calculated as log₂(charsetⁿ) for random passwords) and an estimated crack time assuming a 10-billion-guesses-per-second offline attack. Colour-coded from Weak (red) through Fair, Good, Strong to Very strong (green). Rare on free tools.
📦
Bulk generation
Generate 1–20 passwords simultaneously with the bulk slider. Each appears in a scrollable list with its own copy button. A “Copy all” button copies the complete list to your clipboard — useful when setting up multiple accounts at once or seeding a test database.
🚫
Ambiguous character exclusion
Toggle “Exclude ambiguous” to remove O, 0, l, 1 and I — characters that are visually similar in many fonts and cause errors when passwords are read aloud, printed, or entered from a phone screenshot. Essential for Wi-Fi passwords and anything typed rather than pasted.
How to use

How to generate a secure password

1
Choose your mode
Random mode generates the most entropy per character — best for password managers. Passphrase mode creates word sequences that are easier to memorise and type — ideal for master passwords and anything you type by hand. Pronounceable mode balances readability with security — good for Wi-Fi passwords and shared credentials.
2
Set length and character types
In Random mode: drag the length slider (aim for 20+ for strong security) and select which character types to include. Enable “Exclude ambiguous” if the password needs to be typed or read aloud. Use a preset (Wi-Fi, NIST, Max) for common use cases. The entropy score updates instantly.
3
Check the entropy score
The strength bar and entropy display show how strong the generated password is. Green “Very strong” with 80+ bits of entropy is excellent for any purpose. The crack-time estimate assumes a powerful offline attack — online attacks are millions of times slower due to rate limiting.
4
Generate and copy
Click Generate (or ⚡ keyboard shortcut coming soon). Click Copy to copy to your clipboard. Use the Show button to reveal/hide the password. Regenerate as many times as you like — each click uses fresh cryptographic randomness. For multiple passwords, drag the bulk slider and click Generate all.
Quick reference

Password strength by entropy

StrengthEntropyExampleCrack time (10B/sec)
Weak< 36 bits8-char lowercase onlyMinutes to hours
Fair36–59 bits10-char mixed case + digitsDays to months
Good60–79 bits12-char all typesDecades
Strong80–99 bits16-char all typesCenturies
Very strong100+ bits20+ char all types or 6-word passphraseHeat death of the universe
Complete guide

Password Security — A Complete Guide to Strong Passwords and Passphrases

Passwords remain the primary authentication method for most online accounts. Despite the rise of passkeys, hardware tokens and biometrics, billions of accounts are still protected only by a text password. The consequence is that weak, reused or predictable passwords are the single most exploitable vulnerability in personal and organisational security. A password generator eliminates the human tendency to choose memorable, predictable patterns and replaces it with true cryptographic randomness.

Random secure password generator online free

A cryptographically secure password generator uses the browser’s built-in crypto.getRandomValues API, which draws entropy from hardware sources including CPU timing jitter, interrupt timing and other physical randomness. This is fundamentally different from JavaScript’s Math.random(), which uses a deterministic pseudo-random algorithm that could in theory be predicted. The crypto.getRandomValues API is specified in the W3C Web Cryptography API standard and is available in all modern browsers.

Passphrase generator with random words

The passphrase concept was popularised by Randall Munroe’s XKCD #936 comic, which illustrated that “correct horse battery staple” (four common words chosen randomly) is both easier to remember and harder to crack than a short random character string like “Tr0ub4dor&3”. The entropy of a passphrase is calculated as log′(word_list_size × number_of_words). With a 2,048-word list, each word contributes 11 bits of entropy. A 4-word passphrase provides ~44 bits; a 6-word passphrase provides ~66 bits — comparable to a 12-character fully random password. The crucial advantage is memorability: humans can remember a sequence of concrete words far better than a string of random characters.

Strong password generator with entropy score

Entropy is measured in bits and represents the number of times an attacker would need to halve the search space to find the password. Each bit of entropy doubles the number of guesses required. A 64-bit entropy password requires 2⁵⁴ (18 quintillion) guesses in the worst case. At 10 billion guesses per second — achievable with a high-end GPU cluster attacking a weak hash like MD5 — cracking a 64-bit password takes about 58 years. Against properly salted bcrypt or Argon2, the same attack would take millions of times longer. The entropy calculation in this tool uses the formula E = log₂(charset_sizeⁿ) for random passwords, where n is the password length.

Pronounceable password generator

Pronounceable passwords alternate consonants and vowels in patterns that produce syllable-like sequences, making them easier to read aloud, type and remember than fully random strings. A 14-character pronounceable password like “XivakePoru8” is substantially easier to enter on a phone keyboard than “x7K#mP2&qR9j!” while offering reasonable entropy. This mode is particularly useful for Wi-Fi passwords (which are often read from a phone screen and typed on a TV remote), shared system accounts, and any credential that needs to be communicated verbally.

Password generator no special characters option

Some systems have restrictions on which characters are permitted in passwords — a frustrating reality of legacy systems and certain enterprise software. The character set checkboxes let you disable symbols entirely, or use the custom exclude field to remove specific characters that a particular system rejects. The URL-safe preset uses only alphanumeric characters plus hyphens and underscores — safe for use in URLs, environment variables, API keys and filenames without any encoding. The exclude ambiguous option removes characters that look similar in common fonts (O/0, l/1/I), reducing transcription errors when passwords are typed from screenshots or printed cards.

Frequently asked questions

Yes. All password generation happens entirely in your browser using JavaScript and the crypto.getRandomValues API. No password, no input value and no result is ever sent to any server, logged, or stored. The tool works fully offline after the first page load. You can verify this by disconnecting from the internet and refreshing — generation continues to work.
NIST recommends a minimum of 8 characters, but security researchers recommend at least 16 characters for general accounts and 20+ for sensitive accounts. Length is the most important factor — each additional character exponentially increases the number of possible combinations. Use the entropy score as your guide: aim for 80+ bits (Strong) for general use and 100+ bits (Very strong) for anything sensitive.
It depends on length. A 4-word passphrase has about 44 bits of entropy — less than a 14-character fully random password (about 92 bits with all character types). However, passphrases are dramatically easier to remember and type, making them ideal for master passwords you need to memorise. For accounts stored in a password manager, use a long random password. For your manager’s master password, use a 6+ word passphrase.
Ambiguous characters are those that look visually similar in common fonts: zero (0) and capital O, lowercase L (l) and the number one (1) and capital I. These cause errors when passwords are read from screens, printed on cards, or communicated verbally. If you store your password in a manager and always paste it, leave ambiguous characters included — they add entropy. Exclude them for Wi-Fi passwords and anything typed by hand.
Entropy measures the unpredictability of a password in bits. For random passwords it is calculated as log₂(charset_sizeⁿ) where n is the length. A 20-character password using all character types (charset of 95) has log₂(95²⁰) ‸ 131 bits of entropy. Each additional bit doubles the number of guesses required. The crack-time estimate divides 2ᴯⁱᵀᴿᴮᴰᴾᴹ by 10 billion guesses per second — a high-end GPU cluster attacking a fast hash like MD5.
Symbols increase the charset size from 62 (letters + digits) to 95+, adding about 0.7 bits of entropy per character. At 20 characters this adds ~14 bits — worthwhile but not essential if you increase length instead. NIST’s current guidelines recommend prioritising length over mandatory complexity requirements. Symbols can cause problems on some systems — use the custom exclude field to remove specific characters a system rejects while keeping the rest.
The NIST preset follows NIST SP 800-63B guidelines, which recommend length as the primary security factor rather than mandatory complexity. It sets a 20-character length with all character types enabled and ambiguous characters excluded — a practical balance of security and usability. NIST explicitly discourages forced complexity rules (“must include a symbol”) that cause users to make predictable substitutions like “P@ssw0rd”.
Store it in a reputable password manager — Bitwarden (open source, free), 1Password, Dashlane or KeePass. Never store passwords in plain text files, browser saved passwords without a master password, email drafts or spreadsheets. This generator does not store anything — if you close the page without copying the password, it is gone. Generate a new one if needed.
Related tools

More free security tools

🔒
Hash Generator
MD5, SHA-256, SHA-512 and SHA-3 simultaneously. HMAC, file hashing and hash comparison.
🔢
Base64 Encoder
Encode and decode Base64. URL-safe mode, MIME wrap, file drag-and-drop.
🔐
bcrypt Generator
Generate and verify bcrypt password hashes with configurable cost factor. Client-side only.
🔑
JWT Decoder
Decode and inspect JWT tokens — header, payload, signature and expiry at a glance.
🔗
URL Encoder / Decoder
Percent-encode and decode URL components and query strings.
🆔
UUID Generator
Generate UUID v4 identifiers using crypto.getRandomValues. Bulk generation and validation.