DEVESSENTIALS

Password Generator

Generate cryptographically secure random passwords using the browser's native Web Crypto API. Customize length, character sets and generate in bulk. Your passwords never leave the browser.

Length16
63264128
Characters
6$-)d9OQz@2*<7e6
StrengthVery Strong

Want to check an existing password?

Check its strength and estimated crack time

Related Tools

Password Checker

Check the strength of any password.

Hash Generator

Hash passwords with SHA-256 or bcrypt.

Frequently Asked Questions

What is password entropy and how does it determine actual strength?

Entropy (measured in bits) quantifies how unpredictable a password is. For a random password, entropy = log₂(character_pool_size) × length. A 12-character password from a 94-character set (printable ASCII) gives ~78.8 bits; adding just 4 more characters jumps it to ~105 bits — each extra character roughly doubles the search space. A target of 80+ bits is strong for online accounts; 128 bits is the standard for cryptographic applications. What drives entropy is randomness of generation, not apparent visual complexity.

When should I use a passphrase instead of a random character password?

Passphrases (randomly selected dictionary words, e.g., correct-horse-battery-staple) are preferable for passwords you need to memorize and type manually — like a device login, full-disk encryption passphrase, or password manager master password. A 5-word Diceware passphrase drawn from the EFF wordlist provides ~64.6 bits of entropy and is far more typeable than a short random string. For credentials stored in a password manager, a high-entropy random string is fine since you never type it.

Why do minimum character-type requirements (must include a number, a symbol) sometimes reduce strength?

Enforcing specific character types constrains the generator's output space. If you require at least one uppercase, one number, and one symbol in a 12-character password, you reduce the number of valid permutations compared to fully unconstrained random selection from the same character set. Bitwarden's documentation explicitly notes that setting minimum numbers and minimum special counts too high reduces entropy. The strongest passwords come from unconstrained random selection across the full allowed character set — let length drive strength.

What is the difference between crypto.getRandomValues() and Math.random() for password generation?

Math.random() produces a deterministic sequence seeded by a predictable value — it is fast but not suitable for security purposes. window.crypto.getRandomValues() (the Web Crypto API) is seeded from OS-level entropy sources (hardware interrupts, timing jitter) and is computationally infeasible to predict. Any password generator you trust must use a CSPRNG. This tool uses crypto.getRandomValues() exclusively — the same source used by 1Password and Bitwarden's browser generators.

Which symbols should I avoid in passwords that will be used in shell commands or config files?

Certain symbols frequently break real-world systems: single quotes ('), double quotes ("), backticks (`), and backslashes (\) corrupt shell commands, SQL queries, and config file parsers. The percent sign (%) and ampersand (&) can corrupt URLs. Some legacy systems reject semicolons (;) or angle brackets (<>). A practical approach is to use symbols but exclude the most problematic ones — most generators offer a custom symbol exclusion field for exactly this reason.