Password Generator: Secure Random Passwords

What Is the Password Generator?

The Password Generator creates strong, cryptographically secure passwords using the Web Crypto API (crypto.getRandomValues), which is the same randomness source used by your operating system for security-critical operations. It is not pseudo-random — each character is drawn from a pool sized to your selected character sets, using rejection sampling to eliminate modulo bias.

Use this tool when you need passwords for test accounts, API keys, local secrets, seed data, or any scenario where predictable or weak passwords would be a security risk. The tool generates up to 100 passwords at a time, shows an entropy estimate for each, and copies directly to the clipboard. Everything runs in your browser — no passwords are logged or transmitted anywhere.

Key Features

• Cryptographically secure randomness — uses crypto.getRandomValues with rejection sampling (getUnbiasedRandomIndex) to eliminate the modulo bias that affects simple random implementations when the charset size is not a power of two.
• Customizable length (8–126 characters) — set via both a range slider and a numeric input field. The input clamps to the 8–128 range automatically.
• Four character sets — uppercase (A–Z, 26 chars), lowercase (a–z, 26 chars), numbers (0–9, 10 chars), and symbols (!@#$%^&*()_+-=[]{}|;:,.<>?, 26 chars). At least one must remain active; the tool prevents deselecting the last active set.
• Exclude ambiguous characters — removes O, 0, I, l, and 1 from the pool, eliminating characters that look similar in many fonts. The component defines these as 'O0Il1' (5 characters).
• Entropy display — shows total entropy in bits, charset size, and bits-per-character in real time as you adjust options. The formula is length × log2(charsetSize).
• Seven strength levels — Weak (< 40 bits), Fair (40–49), Good (50–59), Strong (60–79), Very Strong (80–99), Fortress (100–149), and Ludicrous (150+ bits). Each level has a distinct color indicator.
• Bulk generation (up to 100) — a range slider controls how many passwords are generated per click. The default is 1.
• Copy to clipboard — copy individual passwords or all passwords at once.
• Password strength guide — a reference table showing estimated crack times at consumer GPU and nation-state threat levels for each strength tier.

How to Use the Password Generator

Step 1: Set the Length

Use the range slider (8–128) or the numeric input box to choose password length. The two controls stay synchronized — moving either updates the other. The default is 16 characters.

The entropy display updates immediately: at length 16 with all character sets active (88 characters total), you get approximately 16 × log2(88) ≈ 103.4 bits — rated Fortress.

Step 2: Choose Character Sets

Four checkboxes control which characters are included:

• Uppercase A–Z — 26 characters
• Lowercase a–z — 26 characters
• Numbers 0–9 — 10 characters
• Symbols — 26 characters: !@#$%^&*()_+-=[]{}|;:,.<>?

Unchecking all but one set is allowed. Attempting to uncheck the last remaining set triggers an error toast: "Please select at least one character set."

Step 3: Optionally Exclude Ambiguous Characters

Check "Exclude ambiguous characters" to remove O, 0, I, l, and 1 from the pool. This subtracts 5 characters from the charset size. The entropy display reflects the reduction immediately. This option is useful when passwords will be read or typed from a screen — for example, shared over a phone call or printed in documentation.

Step 4: Set Count and Generate

Use the count slider (1–100) to choose how many passwords to generate in one click. Click "Generate" to produce them. Each password is generated independently using a fresh call to getUnbiasedRandomIndex for every character position.

A success toast confirms how many passwords were generated. The results card appears with a scrollable list showing each password alongside its individual entropy value and strength color indicator.

Step 5: Copy Passwords

• Click the copy icon on any individual password row to copy that single password.
• Click "Copy All" to copy all passwords as a newline-separated list.

The component includes a fallback clipboard method using document.execCommand('copy') for older browser environments where navigator.clipboard is unavailable.

Practical Examples

Generating API keys for a staging environment. You need 10 unique secrets for microservice authentication. Set length to 32, keep all character sets active, set count to 10, and click Generate. Copy all to the clipboard and paste into your secrets manager. At 32 characters with an 88-character pool, each password has about 207 bits of entropy — firmly in Ludicrous range.

Creating readable passwords for a team handoff document. A temporary admin password needs to be communicated verbally. Set length to 16, enable "Exclude ambiguous characters," and keep all other sets active. The resulting password has no lookalike characters, making it easier to read aloud and transcribe correctly.

Seeding test accounts with varied password complexity. You want to test your app's password strength meter against several tiers. Generate passwords at different lengths: 8 characters (Weak/Fair), 12 characters (Good), 16 characters (Strong/Very Strong), 24 characters (Fortress). Use each as a seed value in your test fixtures.

Tips and Best Practices

Understand the strength levels before choosing length. At 16 characters with all sets (88-char pool), entropy is about 103 bits (Fortress). Dropping to 12 characters gives about 78 bits (Strong). The entropy display shows these values live, so you do not need to calculate manually.

Longer passwords beat more complex character sets for entropy. Adding symbols to a 12-character password (78 bits) contributes less than increasing length by 2 characters. A 14-character all-lowercase password (66 bits: Good) provides more entropy than an 8-character mixed-set password (52 bits: Fair), though both factors still matter.

Use "Exclude ambiguous characters" selectively. Removing 5 characters reduces entropy slightly. For machine-to-machine credentials where no human will read the password, keep all characters enabled for maximum entropy.

The Ludicrous level is real. At 150+ bits of entropy, a password requires more energy to brute-force than physically exists in the observable universe at current computational rates. For a 128-character password with all sets active, entropy is approximately 827 bits. The tool renders "Ludicrous" in a multi-color rainbow effect.

Generate multiples when you need unique passwords for related services. Set count to 5 or 10 and click Generate once. Each password is independently random, so you get a set of unique credentials in one operation.

Common Issues and Troubleshooting

"Please select at least one character set" error. You attempted to uncheck the last active character set checkbox. The tool prevents this by returning early and showing the error. Enable at least one other set before unchecking the current one.

Copy button appears to do nothing. If navigator.clipboard is not available (some browser security contexts), the tool falls back to document.execCommand('copy'). If both fail silently, check that the page has focus and that clipboard access is not blocked by browser permissions.

Entropy reads lower than expected. Check that "Exclude ambiguous characters" is not checked unexpectedly — it removes 5 characters from the pool. Also verify all desired character sets are checked, since the entropy display only reflects the currently active configuration.

Generated passwords contain no symbols even with symbols enabled. Randomness is unpredictable by design — a short password might coincidentally draw no symbol characters from the pool. The generator does not guarantee inclusion of every character type, only that every character type in the pool has an equal probability of being selected at each position. Increase length to raise the probability that all active sets appear.

All generated passwords look similar. This is statistically unlikely with cryptographic randomness and most likely a display glitch. Clicking "Regenerate" in the results header generates a fresh set.

Privacy and Security

The Password Generator uses crypto.getRandomValues, the browser's cryptographically secure pseudorandom number generator. No generated password is sent to any server — there are no API calls, no analytics events containing password values, and no logging. The rejection sampling algorithm (getUnbiasedRandomIndex) eliminates the modulo bias common in simpler approaches, ensuring uniform distribution across all charset positions. The tool works offline once the page has loaded. Generated passwords are never stored by the application itself; they exist only in your browser's memory until you copy or navigate away.

Frequently Asked Questions

Is this password generator free? Yes, completely free with no account, no signup, and no usage limits.

Is it truly random, or pseudo-random? The tool calls crypto.getRandomValues, which is the browser's cryptographically secure random number generator (CSPRNG). This is the same source used for TLS key generation and other security-critical operations. It is not a simple pseudo-random function like Math.random().

What is modulo bias, and does this tool avoid it? Modulo bias occurs when a random number is taken modulo a charset size that does not evenly divide the random number space. The result is a slight over-representation of some characters. This tool uses rejection sampling: it discards any random value that would introduce bias, then retries until a usable value is found. The function is called getUnbiasedRandomIndex in the source code.

Can I generate passwords offline? Yes. Once the page has loaded, all generation runs locally with no network dependency.

What does "Exclude ambiguous characters" remove? It removes O, 0, I, l, and 1 — five characters that look visually similar in many fonts. This is useful for passwords that will be read, typed, or spoken by humans.

What are the seven strength levels? Weak (< 40 bits), Fair (40–49), Good (50–59), Strong (60–79), Very Strong (80–99), Fortress (100–149), and Ludicrous (150+ bits). Strength is calculated from password length × log2(charset size).

How many passwords can I generate at once? Up to 100 passwords per click, controlled by the count slider.

What characters are included in the symbols set? The symbols character set is !@#$%^&*()_+-=[]{}|;:,.<>? — 26 characters. Apostrophes and backticks are not included, which avoids common shell escaping issues.

Are generated passwords stored anywhere? No. Passwords are generated in browser memory and displayed in the results list. Closing or navigating away from the page clears them. Premium supporters can use the History Panel to review previously generated configurations, but the actual password values are stored only locally in IndexedDB — not on any server.

What length should I use for different use cases? For general accounts: 16–20 characters (Fortress). For high-value targets (admin accounts, root credentials): 24–32 characters. For machine-to-machine API keys where length is not constrained: 32–64 characters. The entropy display gives you real-time feedback as you adjust.

Related Tools

• Passphrase Generator — generate memorable word-based passwords with comparable entropy.
• UUID Generator — generate RFC-compliant universally unique identifiers for non-password use cases.
• Hash Generator — hash your generated passwords with SHA-256, SHA-512, or other algorithms.

Try the Password Generator now: Password Generator