Random Password Generator
Random Password Generator
Secure, customisable, client-side — no password is ever sent to a server
100% Client-Side
All generation happens in your browser using the Web Crypto API. No password is ever transmitted or stored.
Cryptographically Random
Uses crypto.getRandomValues() — the same randomness source as your OS, not a weak Math.random().
Fully Customisable
Control length (4–64), character sets, ambiguous characters, repetition, and custom exclusions.
Understanding Password Security
What Makes a Password Truly Secure? A Complete Guide
Everything you need to know about password strength, randomness, and best practices
A random password generator is a tool that creates passwords using an algorithm driven by a source of entropy (randomness) — producing character combinations that no human brain would ever choose on its own. Unlike passwords you invent yourself ("Fluffy2019!" or "MyPassword#1"), machine-generated passwords have no predictable patterns, no dictionary words, and no personal information for attackers to guess against.
This generator uses the browser's built-in Web Crypto API (crypto.getRandomValues()), which draws entropy from your operating system's secure random number generator — the same source used in cryptographic applications. Crucially, the password is created entirely inside your browser: nothing is sent to any server, and nothing is stored anywhere. Once you close the tab, the password is gone from the tool forever — which is exactly what you want.
Password strength is measured in entropy bits — a logarithmic measure of how many guesses an attacker would need to try before stumbling on the correct password. The formula is simple: entropy = log₂(pool_size ^ length). The larger the character pool and the longer the password, the astronomically more guesses are needed.
| Length | Character Set | Pool Size | Combinations | Strength |
|---|---|---|---|---|
| 8 | Lowercase only | 26 | ~209 billion | Weak |
| 8 | Upper + Lower + Numbers | 62 | ~218 trillion | Fair |
| 12 | Upper + Lower + Numbers | 62 | ~3.2 quadrillion | Good |
| 16 | All character types | 95 | ~44 quintillion | Strong |
| 20 | All character types | 95 | ~358 sextillion | Very Strong |
A modern GPU cluster can attempt billions of guesses per second against offline password hashes. A "Weak" 8-character lowercase password can be cracked in minutes. A 16-character password using all character types would take longer than the age of the universe — even with all computing power on Earth combined.
Attackers use several strategies: dictionary attacks (testing common words and phrases), rule-based attacks (adding numbers or symbols to dictionary words — exactly what most humans do), credential stuffing (reusing passwords leaked from other sites), and brute-force attacks (trying every possible combination). Truly random passwords defeat all four: they contain no dictionary words, no predictable patterns, they are unique per site, and their sheer combinatorial space defeats brute-force.
P@ssw0rd! is strong because it has uppercase, lowercase, numbers, and symbols. It is not. Dictionary-rule attack tools test millions of such substitutions every second. True security comes from randomness, not from cleverly replacing letters with look-alikes.