Can the site see my generated password?

No. Generation happens entirely in your browser using the Web Crypto API. The password is never sent to our servers - we have no servers that handle generated values. Open your browser developer tools, switch to the Network tab, and click Generate to confirm: no request leaves your machine.

How long should my password be?

For most accounts, 16–20 random characters from a mixed pool gives you well over 100 bits of entropy, which is more than enough against current and foreseeable brute-force attacks. Use longer (24–32+) for high-value accounts or master passwords for password managers.

Why exclude ambiguous characters?

In some fonts, characters like I, l, 1, O, and 0 look nearly identical. Excluding them makes a password easier to read off-screen or write down without losing meaningful security at typical lengths.

Password Generator

How this generator works in your browser

Every password is built locally with the Web Crypto API. When you click Generate, your browser calls crypto.getRandomValues to draw raw entropy from the operating system, then maps those bytes to characters from the pool you selected. We use rejection sampling (discarding any byte that would land in an over-represented bucket), so the result is a true uniform sample. Plain modulo arithmetic introduces small but real bias against the highest-numbered characters in the pool, and we'd rather not ship that.

Nothing is transmitted. No analytics event fires when you generate. The page itself loads JavaScript from Toolcroft and ads from Google AdSense, but the password you see is computed inside your browser tab and lives only there. Open the Network tab in your browser's developer tools, click Generate, and watch: no request goes out.

What makes a strong password

Strength comes from two things: the size of the character pool you draw from and the length of the password. A 12-character password from lowercase letters alone has about 56 bits of entropy. The same length using all four classes (uppercase, lowercase, digits, symbols) jumps to about 78 bits. Pushing length to 20 with all four classes lands above 130 bits - comfortably beyond what any practical attacker can brute-force, even with offline access to a stolen hash.

The strength bar under each generated password shows the bits-of-entropy estimate for the pool and length you picked. Anything in the green band is fine for everyday accounts; reserve the longest options for password-manager master passwords, encryption keys, and similar high-value secrets.

How long should a password be?

For routine accounts protected by a sensible login system, 16 characters from a mixed pool is plenty. Bumping to 20 buys you significant headroom for very little typing cost, especially if you keep the password in a manager and rarely type it by hand. Master passwords for a password vault or whole-disk encryption deserve 24 or more. Those are single points of failure, and length is the cheapest defence available.

Some sites still cap password length at 16 or even 12. That's their problem, not yours. Generate to the cap and move on; the strength is set by the lower of the two numbers.

When the exclusion options matter

Exclude ambiguous (I l 1 O 0) is worth keeping on if you'll ever read the password off a screen and type it on another device. The security cost at 16+ characters is negligible.
Exclude similar (curly braces, pipe, double-quote, backtick) helps if you're pasting passwords into systems that mangle quoting, such as some shell scripts or YAML configs.
Custom exclude covers the case where a particular site rejects a specific character. Type the offender(s) into the box and regenerate.

Frequently asked questions

Can the site see my password?

No. The password is generated and held only in your browser tab. Nothing is uploaded. Confirm in your browser's developer tools (Network tab) before you trust us.

Are these passwords cryptographically random?

Yes. Each character is drawn with crypto.getRandomValues using rejection sampling. Math.random is never used: it isn't appropriate for security.

Why do I need a different password for every site?

Because breaches happen, and credential-stuffing attacks try every leaked username and password against every other site. A unique random password per site contains the blast radius. A password manager makes "unique per site" practical.

Why exclude I, l, 1, O, and 0 by default?

In many fonts these are easy to confuse. Excluding them removes a common transcription error without weakening a 16+ character password in any meaningful way.

Password manager integration

Even the strongest generated password is useless if written on a sticky note or reused across sites. The recommended workflow is:

Generate a password in this tool.
Immediately copy and paste it into your password manager (Bitwarden, 1Password, Dashlane, KeePass, etc.) before navigating away.
Let the password manager auto-fill it going forward - never type it by hand.

A password manager also enables a unique password for every account with no memory burden - the single most impactful security improvement most people can make.

NIST 2017 password guidelines

NIST Special Publication 800-63B (2017, updated 2024) significantly revised official password guidance. Key recommendations that changed the industry:

No mandatory complexity rules: requiring uppercase + lowercase + digit + symbol does not meaningfully improve security and leads users to predictable patterns (Password1!). Length is more important than composition.
No periodic rotation without cause: forcing monthly or quarterly password changes causes users to make small, predictable modifications (Password1 -> Password2). Change passwords only when there is evidence of compromise.
Screen against breached passwords: organizations should check new passwords against known breach databases (like HIBP) and reject matches, regardless of complexity.
Allow all printable ASCII and Unicode: blocking spaces or special characters is a legacy restriction that reduces entropy unnecessarily.