Random Password Generator

🔐
Configure your character sets and length below — each click generates a cryptographically random password that never leaves your browser.
🔑

Random Password Generator

Secure, customisable, client-side — no password is ever sent to a server

16
464
Uppercase
A B C … Z
Lowercase
a b c … z
Numbers
0 1 2 … 9
Symbols
! @ # $ % …
Exclude Ambiguous Characters
Removes 0, O, l, 1, I
No Repeated Characters
Each character used once
Generated Password
Click Generate to create a password
Password Strength
12+ characters
Uppercase letters
Lowercase letters
Numbers
Symbols
16+ characters
Batch — 5 Passwords
Click "Generate All" to produce 5 passwords with the current settings.
🔒

100% Client-Side

All generation happens in your browser using the Web Crypto API. No password is ever transmitted or stored.

Cryptographically Random

Uses crypto.getRandomValues() — the same randomness source as your OS, not a weak Math.random().

🎛️

Fully Customisable

Control length (4–64), character sets, ambiguous characters, repetition, and custom exclusions.

Understanding Password Security

What Makes a Password Truly Secure? A Complete Guide

Everything you need to know about password strength, randomness, and best practices

What is a Random Password Generator?

A random password generator is a tool that creates passwords using an algorithm driven by a source of entropy (randomness) — producing character combinations that no human brain would ever choose on its own. Unlike passwords you invent yourself ("Fluffy2019!" or "MyPassword#1"), machine-generated passwords have no predictable patterns, no dictionary words, and no personal information for attackers to guess against.

This generator uses the browser's built-in Web Crypto API (crypto.getRandomValues()), which draws entropy from your operating system's secure random number generator — the same source used in cryptographic applications. Crucially, the password is created entirely inside your browser: nothing is sent to any server, and nothing is stored anywhere. Once you close the tab, the password is gone from the tool forever — which is exactly what you want.

Why Password Strength Matters — The Math Behind It

Password strength is measured in entropy bits — a logarithmic measure of how many guesses an attacker would need to try before stumbling on the correct password. The formula is simple: entropy = log₂(pool_size ^ length). The larger the character pool and the longer the password, the astronomically more guesses are needed.

LengthCharacter SetPool SizeCombinationsStrength
8Lowercase only26~209 billionWeak
8Upper + Lower + Numbers62~218 trillionFair
12Upper + Lower + Numbers62~3.2 quadrillionGood
16All character types95~44 quintillionStrong
20All character types95~358 sextillionVery Strong

A modern GPU cluster can attempt billions of guesses per second against offline password hashes. A "Weak" 8-character lowercase password can be cracked in minutes. A 16-character password using all character types would take longer than the age of the universe — even with all computing power on Earth combined.

How Passwords Get Compromised — and How Randomness Protects You

Attackers use several strategies: dictionary attacks (testing common words and phrases), rule-based attacks (adding numbers or symbols to dictionary words — exactly what most humans do), credential stuffing (reusing passwords leaked from other sites), and brute-force attacks (trying every possible combination). Truly random passwords defeat all four: they contain no dictionary words, no predictable patterns, they are unique per site, and their sheer combinatorial space defeats brute-force.

The biggest myth: Many people believe a password like P@ssw0rd! is strong because it has uppercase, lowercase, numbers, and symbols. It is not. Dictionary-rule attack tools test millions of such substitutions every second. True security comes from randomness, not from cleverly replacing letters with look-alikes.
How to Use Generated Passwords Safely
1
Use a password manager — tools like Bitwarden, 1Password, or KeePass store and auto-fill your passwords so you never need to memorise them. A password manager is the single most impactful security habit you can adopt.
2
Never reuse passwords — every account should have a unique, randomly generated password. When one site suffers a breach, none of your other accounts are exposed.
3
Use 16+ characters for important accounts — email, banking, and social media deserve the highest entropy. Use at least 16 characters with all character types enabled.
4
Enable two-factor authentication (2FA) — a strong password plus a time-based OTP or hardware key means even a fully compromised password cannot be used alone to access your account.
5
Never store passwords in plain text — do not save passwords in a notes app, spreadsheet, or email. Use a dedicated, encrypted password manager with a strong master password.