Skip to content

Password Generator Online Free

Cryptographically random passwords from the Web Crypto API. Set length, pick character classes, copy, paste into your password manager.

In your browseryour files never leave your device.

Learn more
16
4163264
Select at least one character class

About this tool

A password generator is one of those tools where the implementation actually matters. Most online generators use Math.random under the hood, which isn't cryptographically secure and isn't what you want for anything protecting real money or real data. This one uses the Web Crypto API's crypto.getRandomValues with rejection sampling to avoid modulo bias, which is the same primitive 1Password and Bitwarden use to generate vault passwords. Set the length between 4 and 64, toggle which character classes you want (uppercase, lowercase, numbers, symbols), hit regenerate. The strength meter shows actual entropy bits, not some made-up "complexity score". Everything runs in your browser. The password you generate never goes near a server, never gets logged, never enters a queue.

How to password generator online free

  1. Set the length

    Slider goes from 4 to 64 characters. For most online accounts (email, shopping, social), 16 characters is plenty. For banking, admin panels, password manager master passwords, and any account that touches money, push the slider to 20 or higher. The strength meter on top of the password display updates as you slide so you can see entropy bits change in real time.

  2. Pick character classes

    Four checkboxes: Uppercase (A-Z), Lowercase (a-z), Numbers (0-9), Symbols (!@#$ and the rest). Most sites want at least one of each. Some bank logins reject symbols entirely (an outdated security choice), in which case turn that off. Some sites cap length and require all classes, in which case shorten the slider and keep all four ticked.

  3. Click regenerate if you want a different one

    The arrow button at the top right rolls a fresh password. The result updates instantly because all the generation happens locally. There's no rate limit because there's nothing to rate-limit; it's all happening in your browser. Spam the button as many times as you want until you get a password you like the look of.

  4. Copy and paste into your password manager

    Click the copy icon next to the password. The string lands on your clipboard. Switch to your password manager, paste into the password field, save the entry. Then forget the password forever, which is the whole point of having a manager. If you don't have a password manager yet, get one (1Password, Bitwarden, KeePassXC are all good). Memorizing passwords is the problem; managers are the answer.

Features

Real randomness, not Math.random

Uses crypto.getRandomValues from the Web Crypto API with rejection sampling on each byte to avoid modulo bias. That last detail matters: naive random-mod-charset-size skews the distribution toward early characters. This implementation discards bytes above the threshold (256 minus 256 mod charset size) and re-rolls until it gets a clean byte, which keeps the output uniform across the full charset. The same primitive runs inside 1Password, Bitwarden, and KeePass; the only difference is that those managers remember the password and this tool hands it to you.

Entropy-based strength meter

The meter shows actual bits of entropy (log2 of charset size, multiplied by length) instead of vague color labels. Under 40 bits is weak, 40-60 fair, 60-80 good, 80-100 strong, 100+ very strong. A 16-character password with all four classes (94-character charset) lands around 105 bits, which is computationally infeasible to brute-force in this decade. A 12-character lowercase-only password lands at 56 bits, which a modern GPU farm cracks in days. The number is what should drive your length choice, not the colour.

Per-site rule matching

Toggle uppercase (A-Z), lowercase (a-z), numbers (0-9), and symbols (!@#$%^&*()_+-=[]{}|;:,.<>?) independently. Length slider goes from 4 to 64 characters. Whatever weird password policy a site throws at you (no symbols allowed, exactly 12 characters required, must include a digit, no consecutive letters), you can match it without leaving the page. Banks especially love rejecting symbols, even though they shouldn't; this lets you generate something that'll actually be accepted.

Stays in your browser

No network calls. No analytics on the generated string. Open dev tools, switch to the Network tab, click generate, watch nothing happen. The password exists only on your machine, in memory, until you close the tab or paste it into your manager. There's no history list saved to localStorage either; refresh the page and the past passwords are gone. This is by design, because a generator that "helpfully" saves history is one breach away from leaking everyone's vault.

Privacy & security

Every byte of randomness comes from crypto.getRandomValues, which pulls from your operating system's CSPRNG — the same source 1Password and Bitwarden use. The character-class selection happens in JavaScript: bytes from the CSPRNG get mapped to the alphabet you chose using rejection sampling to avoid modulo bias. The entropy estimate displayed under the password is computed locally from the alphabet size and length. The zxcvbn-style dictionary check that flags common patterns also runs entirely client-side — nothing about your generated password leaves the tab. Clipboard copy uses the Clipboard API, which writes directly to the OS clipboard.

Frequently asked questions

Is it free?
Yes. No signup, no ads.
Does the password go anywhere?
No. Web Crypto API generates it locally. There's no network call when you click generate, you can verify that in your browser's dev tools.
How long should I make it?
16 characters is fine for most things if all four character classes are on. 20+ for banking, email recovery, password manager master passwords, and admin accounts. The "8 character minimum" advice from 2005 is dangerously out of date. Modern GPUs crack 8-character mixed-class passwords in hours.
Is "correct horse battery staple" actually better than "Tr0ub4dor&3"?
Yes, if you make it long enough. The xkcd point is that four random common words have more entropy than a 9-character mangled-word password, because brute-force tools know about l33t-speak substitutions. Four random words from a 7,776-word list (the Diceware list) gives about 51 bits. Five words gives 64 bits. But for a password manager, just generate 16-20 random characters and let the manager remember it. You don't need to memorize anything except your manager's master password.
Why crypto.getRandomValues instead of Math.random?
Math.random is a pseudo-random number generator seeded from system state. It's fine for shuffling a deck in a browser game, terrible for anything cryptographic, because the seed and algorithm are predictable enough that a determined attacker with some output samples could reconstruct the state. crypto.getRandomValues pulls from the OS-level CSPRNG, which is what banking and TLS use.