Generate cryptographically strong passwords using crypto.getRandomValues. Never leaves your browser.
This tool generates passwords using crypto.getRandomValues() โ the browser's cryptographically secure random number generator. You can configure length from 4 to 128 characters, choose which character sets to include (uppercase, lowercase, digits, symbols), exclude visually ambiguous characters, and even supply a fully custom charset.
Every password is generated entirely client-side and never transmitted anywhere. The entropy display and estimated crack time help you understand exactly how strong each output is relative to a modern brute-force attacker running a trillion guesses per second.
Entropy (measured in bits) quantifies how unpredictable a password is. It is calculated as length ร logโ(charset size). A 20-character password drawn from all four character sets has roughly 131 bits of entropy โ meaning an attacker would need to try 2ยนยณยน combinations on average to crack it by brute force, which is computationally infeasible even with nation-state resources. Aim for at least 80 bits for personal accounts and 128+ bits for long-lived secrets.
Yes, provided the page itself is trustworthy and your device is not compromised. This tool uses the same OS-level CSPRNG that security libraries use, generates everything locally, and makes no network requests. You can verify this by opening DevTools โ Network and generating โ you will see zero outbound requests triggered by the generator logic.
Some services enforce specific password policies that allow only a subset of symbols, or require special characters from a restricted list. The custom charset field lets you type exactly the characters you want to draw from, overriding the checkboxes entirely. For example, entering abcdefABCDEF0123456789 produces hex-only passwords useful for certain API token formats.