Password Generator Online Free
Cryptographically random passwords from the Web Crypto API. Set length, pick character classes, copy, paste into your password manager.
In your browser—your files never leave your device.
Learn moreSelect at least one character classAbout this tool
A password generator is one of those tools where the implementation actually matters. Most online generators use Math.random under the hood, which isn't cryptographically secure and isn't what you want for anything protecting real money or real data. This one uses the Web Crypto API's crypto.getRandomValues with rejection sampling to avoid modulo bias, which is the same primitive 1Password and Bitwarden use to generate vault passwords. Set the length between 4 and 64, toggle which character classes you want (uppercase, lowercase, numbers, symbols), hit regenerate. The strength meter shows actual entropy bits, not some made-up "complexity score". Everything runs in your browser. The password you generate never goes near a server, never gets logged, never enters a queue.
How to password generator online free
-
Set the length
Slider goes from 4 to 64 characters. For most online accounts (email, shopping, social), 16 characters is plenty. For banking, admin panels, password manager master passwords, and any account that touches money, push the slider to 20 or higher. The strength meter on top of the password display updates as you slide so you can see entropy bits change in real time.
-
Pick character classes
Four checkboxes: Uppercase (A-Z), Lowercase (a-z), Numbers (0-9), Symbols (!@#$ and the rest). Most sites want at least one of each. Some bank logins reject symbols entirely (an outdated security choice), in which case turn that off. Some sites cap length and require all classes, in which case shorten the slider and keep all four ticked.
-
Click regenerate if you want a different one
The arrow button at the top right rolls a fresh password. The result updates instantly because all the generation happens locally. There's no rate limit because there's nothing to rate-limit; it's all happening in your browser. Spam the button as many times as you want until you get a password you like the look of.
-
Copy and paste into your password manager
Click the copy icon next to the password. The string lands on your clipboard. Switch to your password manager, paste into the password field, save the entry. Then forget the password forever, which is the whole point of having a manager. If you don't have a password manager yet, get one (1Password, Bitwarden, KeePassXC are all good). Memorizing passwords is the problem; managers are the answer.
Features
Real randomness, not Math.random
Uses crypto.getRandomValues from the Web Crypto API with rejection sampling on each byte to avoid modulo bias. That last detail matters: naive random-mod-charset-size skews the distribution toward early characters. This implementation discards bytes above the threshold (256 minus 256 mod charset size) and re-rolls until it gets a clean byte, which keeps the output uniform across the full charset. The same primitive runs inside 1Password, Bitwarden, and KeePass; the only difference is that those managers remember the password and this tool hands it to you.
Entropy-based strength meter
The meter shows actual bits of entropy (log2 of charset size, multiplied by length) instead of vague color labels. Under 40 bits is weak, 40-60 fair, 60-80 good, 80-100 strong, 100+ very strong. A 16-character password with all four classes (94-character charset) lands around 105 bits, which is computationally infeasible to brute-force in this decade. A 12-character lowercase-only password lands at 56 bits, which a modern GPU farm cracks in days. The number is what should drive your length choice, not the colour.
Per-site rule matching
Toggle uppercase (A-Z), lowercase (a-z), numbers (0-9), and symbols (!@#$%^&*()_+-=[]{}|;:,.<>?) independently. Length slider goes from 4 to 64 characters. Whatever weird password policy a site throws at you (no symbols allowed, exactly 12 characters required, must include a digit, no consecutive letters), you can match it without leaving the page. Banks especially love rejecting symbols, even though they shouldn't; this lets you generate something that'll actually be accepted.
Stays in your browser
No network calls. No analytics on the generated string. Open dev tools, switch to the Network tab, click generate, watch nothing happen. The password exists only on your machine, in memory, until you close the tab or paste it into your manager. There's no history list saved to localStorage either; refresh the page and the past passwords are gone. This is by design, because a generator that "helpfully" saves history is one breach away from leaking everyone's vault.
Privacy & security
Every byte of randomness comes from crypto.getRandomValues, which pulls from your operating system's CSPRNG — the same source 1Password and Bitwarden use. The character-class selection happens in JavaScript: bytes from the CSPRNG get mapped to the alphabet you chose using rejection sampling to avoid modulo bias. The entropy estimate displayed under the password is computed locally from the alphabet size and length. The zxcvbn-style dictionary check that flags common patterns also runs entirely client-side — nothing about your generated password leaves the tab. Clipboard copy uses the Clipboard API, which writes directly to the OS clipboard.