Skip to content

Password Generator Online Free

Cryptographically random passwords from the Web Crypto API. Set length, pick character classes, copy, paste into your password manager.

In your browseryour files never leave your device.

Learn more
16
4163264
Select at least one character class

About this tool

A password generator is one of those tools where the implementation actually matters. Most online generators use Math.random under the hood, which isn't cryptographically secure and isn't what you want for anything protecting real money or real data. This one uses the Web Crypto API's crypto.getRandomValues with rejection sampling to avoid modulo bias, which is the same primitive 1Password and Bitwarden use to generate vault passwords. Set the length between 4 and 64, toggle which character classes you want (uppercase, lowercase, numbers, symbols), hit regenerate. The strength meter shows actual entropy bits, not some made-up "complexity score". Everything runs in your browser. The password you generate never goes near a server, never gets logged, never enters a queue.

How to password generator online free

  1. Set the length

    Slider goes from 4 to 64 characters. For most online accounts (email, shopping, social), 16 characters is plenty. For banking, admin panels, password manager master passwords, and any account that touches money, push the slider to 20 or higher. The strength meter on top of the password display updates as you slide so you can see entropy bits change in real time.

  2. Pick character classes

    Four checkboxes: Uppercase (A-Z), Lowercase (a-z), Numbers (0-9), Symbols (!@#$ and the rest). Most sites want at least one of each. Some bank logins reject symbols entirely (an outdated security choice), in which case turn that off. Some sites cap length and require all classes, in which case shorten the slider and keep all four ticked.

  3. Click regenerate if you want a different one

    The arrow button at the top right rolls a fresh password. The result updates instantly because all the generation happens locally. There's no rate limit because there's nothing to rate-limit; it's all happening in your browser. Spam the button as many times as you want until you get a password you like the look of.

  4. Copy and paste into your password manager

    Click the copy icon next to the password. The string lands on your clipboard. Switch to your password manager, paste into the password field, save the entry. Then forget the password forever, which is the whole point of having a manager. If you don't have a password manager yet, get one (1Password, Bitwarden, KeePassXC are all good). Memorizing passwords is the problem; managers are the answer.

Why use this tool

You need a new password and you have a password manager but no built-in generator. Or you need to generate one on a machine that isn't yours, and pasting your master password into a sketchy online generator feels wrong. Or you're sitting in a browser tab waiting for a website that rejected your manager's output because it had a quote in it, and you need to roll a fresh one matching their weird rules. That's the use case. The tool is built for one job: produce a random string fast, let you copy it, get out of the way. I don't store anything. There's no history, no recently-generated list, no account. The strength meter is honest about entropy bits so you can see why "16 characters with all 4 classes" is fine for most things and why "8 characters lowercase only" is genuinely terrible. Use it as a fallback to your manager, or as your primary if you're still on the post-it-note system and want to fix that. The right workflow is: generate here, paste into your manager, save the site's URL with the password attached, then forget the password forever. The whole point of a password manager is that you never type a password again except your master one.

Features

Real randomness, not Math.random

Uses crypto.getRandomValues from the Web Crypto API with rejection sampling on each byte to avoid modulo bias. That last detail matters: naive random-mod-charset-size skews the distribution toward early characters. This implementation discards bytes above the threshold (256 minus 256 mod charset size) and re-rolls until it gets a clean byte, which keeps the output uniform across the full charset. The same primitive runs inside 1Password, Bitwarden, and KeePass; the only difference is that those managers remember the password and this tool hands it to you.

Entropy-based strength meter

The meter shows actual bits of entropy (log2 of charset size, multiplied by length) instead of vague color labels. Under 40 bits is weak, 40-60 fair, 60-80 good, 80-100 strong, 100+ very strong. A 16-character password with all four classes (94-character charset) lands around 105 bits, which is computationally infeasible to brute-force in this decade. A 12-character lowercase-only password lands at 56 bits, which a modern GPU farm cracks in days. The number is what should drive your length choice, not the colour.

Per-site rule matching

Toggle uppercase (A-Z), lowercase (a-z), numbers (0-9), and symbols (!@#$%^&*()_+-=[]{}|;:,.<>?) independently. Length slider goes from 4 to 64 characters. Whatever weird password policy a site throws at you (no symbols allowed, exactly 12 characters required, must include a digit, no consecutive letters), you can match it without leaving the page. Banks especially love rejecting symbols, even though they shouldn't; this lets you generate something that'll actually be accepted.

Stays in your browser

No network calls. No analytics on the generated string. Open dev tools, switch to the Network tab, click generate, watch nothing happen. The password exists only on your machine, in memory, until you close the tab or paste it into your manager. There's no history list saved to localStorage either; refresh the page and the past passwords are gone. This is by design, because a generator that "helpfully" saves history is one breach away from leaking everyone's vault.

One-click copy

The copy button writes straight to your clipboard via the Clipboard API. No "triple-click to select then Ctrl+C", no menus, no select-all weirdness with overflowing text. Click, paste into the password field, done. The clipboard typically auto-clears after a minute or two depending on your OS; for extra paranoia, use a clipboard manager that scrubs sensitive entries on demand. Or just paste fast.

Privacy & security

Every byte of randomness comes from crypto.getRandomValues, which pulls from your operating system's CSPRNG — the same source 1Password and Bitwarden use. The character-class selection happens in JavaScript: bytes from the CSPRNG get mapped to the alphabet you chose using rejection sampling to avoid modulo bias. The entropy estimate displayed under the password is computed locally from the alphabet size and length. The zxcvbn-style dictionary check that flags common patterns also runs entirely client-side — nothing about your generated password leaves the tab. Clipboard copy uses the Clipboard API, which writes directly to the OS clipboard.

Frequently asked questions

Is it free?
Yes. No signup, no ads.
Does the password go anywhere?
No. Web Crypto API generates it locally. There's no network call when you click generate, you can verify that in your browser's dev tools.
How long should I make it?
16 characters is fine for most things if all four character classes are on. 20+ for banking, email recovery, password manager master passwords, and admin accounts. The "8 character minimum" advice from 2005 is dangerously out of date. Modern GPUs crack 8-character mixed-class passwords in hours.
Is "correct horse battery staple" actually better than "Tr0ub4dor&3"?
Yes, if you make it long enough. The xkcd point is that four random common words have more entropy than a 9-character mangled-word password, because brute-force tools know about l33t-speak substitutions. Four random words from a 7,776-word list (the Diceware list) gives about 51 bits. Five words gives 64 bits. But for a password manager, just generate 16-20 random characters and let the manager remember it. You don't need to memorize anything except your manager's master password.
Why crypto.getRandomValues instead of Math.random?
Math.random is a pseudo-random number generator seeded from system state. It's fine for shuffling a deck in a browser game, terrible for anything cryptographic, because the seed and algorithm are predictable enough that a determined attacker with some output samples could reconstruct the state. crypto.getRandomValues pulls from the OS-level CSPRNG, which is what banking and TLS use.
Can I use these for production work systems?
Yes. The randomness primitive is the same one 1Password, Bitwarden, and KeePass use. The only difference between a passing-through generator like this and your password manager is the manager remembers passwords and this one doesn't.
What makes a password strong?
Length first, then character variety. Each additional character roughly multiplies the search space by the charset size, so a 20-character random string with mixed classes is computationally impractical to brute-force in this decade. Uniqueness matters too: a strong password reused across sites is one breach away from being useless.
Works offline?
After the page loads, yes. Disconnect Wi-Fi and click regenerate, it still works. Useful for generating passwords on a flight or in a tunnel.
Max length?
64 characters via the slider. Most sites accept 64. Banks tend to cap at 32. Government sites often cap at 20. If you need something stupidly long, generate twice and concatenate.
Should I use the same password across sites if it's a strong one?
No. Even a 30-character password is useless across multiple sites if one of them gets breached, because the breach dumps the plaintext or a crackable hash and attackers feed it into credential-stuffing tools. The strength of a password matters; the unique-per-site rule is non-negotiable. This is why password managers exist. Generate one strong unique password per site, let the manager remember it.
What about passphrases (multiple words)?
Diceware-style passphrases like "horse battery staple correct" are great for things you need to remember, like a password manager master password or a disk encryption passphrase. They have less entropy per character than random strings but more per typed unit, and they're easier to type without errors. For everything else (where the manager remembers it for you), random characters are denser and faster. This tool generates both: switch to the Passphrase tab to roll Diceware-style phrases from the full 7,776-word EFF Large wordlist (~12.92 bits per word, so 5 words ≈ 64.6 bits).
What if a site won't let me paste passwords?
Some sites disable paste on password fields with JavaScript. It's a security anti-pattern that makes password manager use harder and accomplishes nothing. Workarounds: bookmarklet to remove the disablepaste, or right-click in the field and pick "Paste". If neither works, generate a shorter password you can type quickly and complain to the site.