Password Generator & Strength Checker

Generate strong random passwords in one click. Strength presets make it easy to tailor settings to your needs. You can also check the strength of any existing password.

⚙Generate Password

Presets

Length12

464

Uppercase (A-Z)Lowercase (a-z)Numbers (0-9)Symbols (!@#$)

password

–

🔍Check Strength

Enter a password to check its strength

Paste or type a password…

How to use the Password Generator

1
Click a preset (Simple, Standard, or Strong) to generate a password instantly with recommended settings.
2
Use the length slider (4–64 characters) and toggle uppercase, lowercase, numbers, and symbols as needed.
3
Click 'Copy' to copy the password to your clipboard, or 'Regenerate' to get a new one with the same settings.
4
Use the 'Check Strength' tab to evaluate the strength of any existing password on a 5-level scale.

Features

✓Cryptographically secure: Uses crypto.getRandomValues() from the Web Cryptography API — not the predictable Math.random().
✓Fisher-Yates shuffle ensures uniform randomness and guarantees at least one character from each enabled character set.
✓5-level strength gauge: Scores based on length, character variety, and complexity for clear visual feedback.
✓100% browser-based: No password is ever sent to any server. All processing is local and completely private.

FAQ

Q. What makes this generator more secure than others?

A. This tool uses crypto.getRandomValues(), a cryptographically strong random number generator built into browsers. Unlike Math.random(), it produces unpredictable values — a critical requirement for password security.

Q. What makes a strong password?

A. Use at least 12 characters combining uppercase, lowercase, numbers, and symbols. The 'Strong' preset (20 characters, all character types) provides the highest security level offered by this tool.

Q. Are generated passwords saved anywhere?

A. No. All processing happens completely in your browser. Generated passwords are never transmitted to or stored on any server.

Q. Can I use generated passwords with a password manager?

A. Yes. Click 'Copy' to copy the password to your clipboard and paste it directly into 1Password, Bitwarden, LastPass, or any password manager. It also works seamlessly with browser autofill.

Q. What should I do if a site doesn't allow symbols?

A. Simply uncheck the 'Symbols' option and regenerate. A combination of uppercase, lowercase, and numbers at 16+ characters still provides strong security without any symbols.

Technical Deep Dive: Cryptographic Randomness & Password Generation

Math.random() — the browser's built-in pseudo-random number generator (PRNG) — is based on algorithms like xorshift128+ or linear congruential generation. Because it is deterministic, knowledge of the internal seed allows full prediction of future outputs, making it wholly unsuitable for security-sensitive use. This tool uses crypto.getRandomValues() from the W3C Web Cryptography API, which calls the operating system's cryptographically secure PRNG (CSPRNG): getrandom() or /dev/urandom on Linux, BCryptGenRandom on Windows, and SecRandomCopyBytes on macOS/iOS. These sources derive entropy from physical events such as hardware interrupts, thermal noise, and timing jitter.

A naive random character selection may produce outputs with an unintentional bias toward certain characters. This tool applies the Fisher-Yates (Knuth) shuffle algorithm to guarantee a uniform distribution across all positions of the generated string. Additionally, at least one character from each enabled character class (uppercase, lowercase, digits, symbols) is guaranteed to be present — verified and re-sampled after initial generation if needed.

Password strength is measured in bits of entropy: H = L × log₂(N), where L is the password length and N is the size of the character pool. The 'Strong' preset (20 characters, all character types, N = 94) yields approximately H ≈ 131 bits of entropy. At 10¹² guesses per second — the approximate throughput of a modern GPU cluster — exhaustively searching this space would require astronomically more time than the universe has existed.

The strength gauge combines entropy with character-diversity scoring. Points are awarded for length, the presence of uppercase, lowercase, digits, and symbols, producing a composite score displayed across five levels from 'Very Weak' to 'Very Strong'. This gives actionable visual feedback beyond raw bit counts.

Security & Privacy Guarantee

Generated passwords exist only in browser memory. The string produced by crypto.getRandomValues() is written to the clipboard via navigator.clipboard.writeText() when you click 'Copy' — no network communication occurs at any step.

Passwords entered into the 'Check Strength' tab are evaluated entirely by a local JavaScript scoring function. The password you type never reaches this service's servers. You can verify this by opening the DevTools Network tab and confirming zero outbound requests are made.

As a tool that handles one of the most sensitive categories of user data, client-side processing is a foundational security property. It is architecturally impossible for this service to log or analyse any password entered or generated here.

Examples, Safe Operation, and Common Mistakes

Examples

Generate a unique long password when creating a new account.
Replace reused legacy passwords with strong values stored in a password manager.
Create separate passwords per personal or business account instead of sharing one value.

Cautions

Store generated passwords in a trusted password manager.
Enable two-factor authentication for important accounts in addition to using strong passwords.
Do not paste generated passwords into shared chats, emails, or public documents.

Common Mistakes

Making passwords too short just to keep them memorable.
Reusing the same password across multiple services.
Keeping a leaked password by changing only one or two characters.