Random Beats Memorable
The passwords people invent for themselves cluster around a handful of human habits: a name, a date, a keyboard pattern, a word with a digit tacked on the end. Attackers know those habits and test them first. A generated password has no story behind it — it is just length and noise, drawn character by character from the browser's cryptographic random source — which is exactly what makes it hard to guess and easy to trust.
Where the Randomness Comes From
This tool draws every character from crypto.getRandomValues(), the Web Crypto API's cryptographically secure random number generator. That matters: the everyday Math.random() is a pseudorandom function tuned for speed, not secrecy, and its output can be reconstructed. crypto.getRandomValues() is built for generating secrets, so each password you create carries genuine entropy across whichever character sets — uppercase, lowercase, numbers, symbols — you switch on.
Sample run: a 16-character password with every set enabled
Set the length slider to 16 and tick uppercase, lowercase, numbers, and symbols, then press Generate. A run like that produces something on the order of K7$mP9x!qR2#vL4w — sixteen characters drawn from a pool of roughly 94 possibilities each, which the strength meter reads as strong. Press Generate again and you get a completely different string from the same settings; the inputs describe the shape, the random source fills it in.
What This Tool Will Not Do
A generator hands you a strong password; it does not remember it for you. There is no vault here, no sync, no account — once you close the tab the password is gone unless you have copied it somewhere safe, so this is a companion to a password manager, not a replacement for one. Because the work happens entirely in your browser, the weak link shifts to your surroundings: a copied password sits on the clipboard until something overwrites it, and a long string typed on screen can be read over your shoulder or captured by a compromised device. Generate on a machine you trust, paste it straight into the account you are securing, and do not paste a generated password back into any "test my password strength" website.
Password Questions, Answered
Are the passwords from this generator safe to use?
Yes. Each password is built with crypto.getRandomValues(), the browser's cryptographically secure random source, so the output has real, unpredictable entropy rather than the guessable patterns of pseudo-random functions like Math.random(). The result is as strong as the length and character sets you choose.
Is anything I generate sent to a server?
No. Every password is created locally in your browser by JavaScript on this page. Nothing you generate is transmitted, logged, or stored anywhere, so even we never see the passwords you make. You can confirm this by opening the tool with your network disconnected: it still works.
How long should a strong password be?
For most online accounts, 16 characters mixing uppercase, lowercase, numbers, and symbols is comfortably strong. Push to 20 or more for a password manager master password or anything high-value. Length adds far more strength than swapping a few letters for symbols, so when in doubt, make it longer.
Should I add symbols to my password?
Symbols enlarge the pool of possible characters, which raises the work an attacker must do per character, so enabling them helps. That said, a longer password with only letters and digits can be stronger than a short one stuffed with symbols. Some sites also reject certain symbols, so if one is rejected, regenerate with symbols off and add a few more characters instead.