Password Generator: Strong Random Character Passwords

What Is the Password Generator?

The Password Generator builds dense random-character passwords using crypto.getRandomValues with rejection sampling, so every character is drawn from the chosen alphabet with uniform probability and no modulo bias. It is the right tool when you need a credential you will never type by hand — API keys, password manager entries, service accounts, anything that lives in a vault. I default to 24 characters with all four character classes for almost everything, then bump to 32 or 40 for root accounts and signing keys. If you are looking for something memorable instead of dense, the Passphrase Generator on this site does the XKCD-style word approach. This page is about the opposite trade-off: maximum entropy per character, zero memorability cost.

Key Features

• Cryptographically secure source — randomness comes from crypto.getRandomValues, the CSPRNG behind the Web Crypto API. The generator uses rejection sampling rather than naive modulo, so an 88-character alphabet still produces uniformly distributed picks instead of biasing toward the first 26 letters.
• Length slider from 8 to 128 — drag or type a number. A paired number input lets you punch in an exact value. Eight is the bottom because anything shorter is not worth generating; 128 is the ceiling for fields that truncate.
• Four independent character-class toggles — uppercase A-Z, lowercase a-z, digits 0-9, and symbols !@#$%^&*()_+-=[]{}|;:,.<>?. Untick what your target system rejects. The tool blocks unticking the last remaining class so you cannot generate from an empty alphabet.
• Exclude ambiguous characters — strips O, 0, I, l, 1 from the alphabet. Costs about 0.4 bits per character and saves you from squinting at a printed recovery code.
• Live entropy panel — total bits, charset size, and bits-per-character recompute as you toggle classes or drag the length slider. The bit total is color-coded against a seven-tier scale from Weak (red) to Ludicrous (rainbow).
• Bulk generation up to 100 — set the count slider and click Generate to produce up to 100 candidates at once, each annotated with its individual entropy reading.
• Per-row and bulk copy — every generated password has its own copy button, and Copy All concatenates the list with newlines. Both fall back to execCommand('copy') if the Clipboard API is unavailable.
• Strength tier per password — each output line shows its bit count and a colored tier label (Weak, Fair, Good, Strong, Very Strong, Fortress, Ludicrous).

How to Use the Password Generator

Step 1: Set the Length

The "Length" slider runs from 8 to 128. The label updates to show the current value. The number input next to it accepts the same range and clamps any out-of-bounds value when you tab out. Sixteen is the default, which is fine for normal accounts; jump to 24 or 32 for anything sensitive.

Step 2: Pick Character Classes

Four checkboxes under "Character Sets" toggle the alphabet:

• Uppercase (A-Z) — 26 characters
• Lowercase (a-z) — 26 characters
• Numbers (0-9) — 10 characters
• Symbols — 26 characters from !@#$%^&*()_+-=[]{}|;:,.<>?

All four are on by default for an 88-character alphabet (~6.46 bits per character). Untick whichever your target system bans. If a service rejects symbols, you lose about 0.4 bits per character; compensate with a few extra characters of length.

Step 3: Decide on Ambiguous Characters

The "Exclude ambiguous characters" checkbox below the class toggles strips O, 0, I, l, 1 from the combined alphabet. Tick it for any password you will read off paper — printed recovery codes, hand-written wallet seeds, customer-support read-aloud strings. Leave it off for vault-only credentials where readability does not matter and every bit of entropy counts.

Step 4: Read the Entropy Panel

The grey strip below the options shows three numbers:

• Total entropy — bits of randomness in a password of the configured length and alphabet, color-coded by tier.
• Charset — current alphabet size after class toggles and ambiguous-character exclusion.
• Bits per char — log2(charset_size). With all four classes on and no exclusion: log2(88) ≈ 6.46.

The strength tiers map to the total bit count:

• Weak (red): under 40 bits
• Fair (orange): 40-49 bits
• Good (yellow): 50-59 bits
• Strong (lime): 60-79 bits
• Very Strong (cyan): 80-99 bits
• Fortress (violet): 100-149 bits
• Ludicrous (rainbow): 150+ bits

For practical use: 60 bits is the floor, 80 bits is the routine target, 100+ is the master-credential or signing-key tier.

Step 5: Generate, Inspect, Copy

Set the "Generate" count slider (1-100) and click Generate. Results appear in a scrollable list, numbered, each with its own entropy reading and tier label. The copy icon next to a row copies that single password; Copy All copies the full list joined by newlines. Clear wipes the list. Regenerate at the top of the results panel produces a fresh batch with the same settings.

Practical Examples

A 24-Character Password Manager Entry

Settings: Length 24, all four classes on, exclude ambiguous off, count 5.

Sample output:

qP7$mK#xR2!nVz8&jL*pYwH9

That is 24 * log2(88) ≈ 155 bits — Ludicrous tier. This is the bog-standard "save it in 1Password and never look at it" credential. Generating five at once lets you pick one whose first few characters are not awkward to type if your manager ever fails to autofill and you have to do it manually.

A Replacement API Key for a Compromised Service Account

Settings: Length 40, uppercase + lowercase + digits, symbols off (some HTTP clients still mishandle them in headers), exclude ambiguous off.

Sample output:

aFq2KpRy7nMxBz4tHsWvLg3jCdN8VuTeXrYzPmQk

That is 40 * log2(62) ≈ 238 bits. Symbols-off knocks the per-character entropy from 6.46 to 5.95, but length more than makes up for it and you avoid edge cases where & or + in a header value gets URL-decoded somewhere unexpected. The compromised key is rotated, the new value goes into the secret manager, and the 40-char length means even if the rotation system logs it accidentally, brute-forcing it is not on the table.

A Throwaway Password for a Site You'll Never Visit Again

Settings: Length 16, lowercase + digits only, exclude ambiguous on, count 1.

Sample output:

8kqr3zhmf4td9xbn

About 16 log2(31) ≈ 79 bits. Lowercase and digits with ambiguous chars stripped is what you reach for when a forum's signup form rejects symbols and you do not want to spend two minutes debugging why makes their validator scream. It is still 79 bits — Strong — which is overkill for a site you will never log into again, but the password manager is doing the remembering, so overkill is free.

Tips and Best Practices

Length beats complexity at every tier. A 30-character lowercase-only string (~141 bits) is stronger than a 16-character all-classes string (~103 bits). If a site enforces "must include uppercase, number, and symbol", tick all the boxes; if it does not, longer-and-simpler is the easier-to-handle choice.

60 is the floor, 80 is the routine target, 100+ is the high-value tier. Below 60 bits, GPU clusters can churn through the keyspace in days. Above 80, even nation-state rigs need years. Above 100 you have left the brute-force regime entirely. Pick a length that lights up the color you want.

Use a password manager and let it remember everything. A random 24-character password is unmemorable by design. If a credential is something you actually need to type — a master password, a disk encryption key, a recovery phrase — generate it with the Passphrase Generator instead. Random characters and word passphrases are different tools for different problems.

Generate ten and pick one. At count 5-10 you can scan for a candidate that does not start with a hard-to-type sequence (!@#$ is mathematically equivalent to any other four characters, but ergonomically rougher). Three seconds of picking pays off the one time autofill breaks.

Don't post-process generated passwords. Resist the urge to "make it more memorable" by replacing characters or rearranging them. Anything you do to a generated string after the fact reduces the entropy below the panel's reading. Accept the output or generate a fresh one.

Common Issues and Troubleshooting

"Please select at least one character set" — every class checkbox is unticked. The tool prevents unticking the last remaining class, but the error appears if you try to generate before any class is ticked at all. Tick at least one and try again.

A site rejects the generated password as too long. Some legacy forms cap input at 16, 20, or 32 characters silently — they accept the longer string but only store the first N characters. If you cannot log in with the full string, drop the length slider to a shorter value and try the rotated credential. Do not paste a 64-character password into a system you have not verified accepts that length.

A site rejects specific symbols. Untick "Symbols" entirely and bump length up by 4-6 characters to recover the lost entropy. This generator does not have a custom-symbol field — generate with symbols off, then manually paste a few approved symbols at random positions if the form requires them.

The entropy reading is "Weak" even at 16 characters. You probably have only one class ticked. Sixteen digits-only is 16 * log2(10) ≈ 53 bits — Good. Toggle a second class on and watch the bit count jump.

Generated passwords look "not random enough". Random output regularly produces clusters that look non-random — three vowels in a row, two adjacent capitals. Human pattern recognition flags these as "wrong" but they are exactly what uniform randomness produces.

Privacy and Security

Password generation runs in your browser using crypto.getRandomValues, the CSPRNG exposed by the Web Crypto API. Generated passwords are never sent to any server. The history panel below the tool stores recent generations in your browser's IndexedDB only so you can recover something you copied and lost; clear it from the panel when you are finished, or use the tool in a private/incognito window if you do not want any local trace at all. The browser's CSPRNG is seeded by OS-level entropy on every modern platform, so there is no "trust me, the seed is good" caveat to think about.

Frequently Asked Questions

Why use random characters instead of a passphrase?

Random characters are denser per character — about 6.46 bits per character with all classes on, vs. 12.9 bits per word for a 7,776-word passphrase list. For credentials you will never type, density wins because length is cheap. For credentials you will type, passphrases win because memorability matters. Use this tool for vault-only credentials and the Passphrase Generator for master passwords and recovery phrases.

What is rejection sampling and why does it matter?

If you generate a random byte (0-255) and take it modulo 88 to pick from an 88-character alphabet, the first 88 outputs of byte % 88 are slightly more likely than the last 80 because 256 is not a multiple of 88. Rejection sampling discards values that would land in the biased range and re-rolls, producing a uniform distribution. This tool uses it on a 32-bit random integer for every character.

How long should my password be?

Whatever produces 80+ bits in the entropy panel for routine credentials, 100+ for high-value ones. With all four classes on, 13 characters is 84 bits and 16 is 103 bits. The panel does the math; aim for a green-or-better tier.

Can I generate a password that meets a specific policy (must have one of each class)?

This tool does not enforce "at least one uppercase, at least one digit" rules. With all four classes ticked and length ≥ 16, the practical chance of missing a class is under 5%. If a form rejects the output, regenerate.

What happens if I lose a generated password?

If you copied it into a password manager, recover it from there. Otherwise check the History panel below the tool — it stores recent generations in your browser's IndexedDB. If you cleared the history or generated in incognito mode, the password is unrecoverable; rotate the credential at the target service.

Related Tools

• Passphrase Generator — generate XKCD-style memorable word passphrases for credentials you will type by hand.
• UUID Generator — generate v4 UUIDs when you need a globally unique identifier rather than a credential.
• Hash Suite — produce SHA-256, SHA-512, or BLAKE2 hashes of generated passwords for use as deterministic seeds.
• Base64 Encoder/Decoder — encode a generated password for safe transport in environments that mishandle raw bytes.
• Coming Soon: Argon2 Hash — hash a password with the modern KDF when you need to store it for verification rather than recovery.

Try Password Generator now: Password Generator