Password Generator

Yes. This generator uses your browser's built-in crypto.getRandomValues() API, which is cryptographically secure and produces truly unpredictable output. No password is sent to any server, logged, or stored anywhere. Everything runs locally in your browser. You can disconnect from the internet after the page loads and the tool will continue to work. The source code is visible — right-click the page and inspect it to verify yourself.

For most accounts: 16 characters minimum. For sensitive accounts like banking, email, or work systems: 20 or more characters. Length matters more than complexity. A random 20-character lowercase-only password is mathematically stronger than a complex 8-character one. Our default of 16 characters with all character types produces approximately 105 bits of entropy — enough to resist any realistic brute-force attack for billions of years.

Entropy measures unpredictability in bits. Formula: bits = log2(pool_size) × length. With all character types enabled: pool = ~95 characters, log2(95) ≈ 6.57 bits per character. A 16-character password: 6.57 × 16 ≈ 105 bits. Each additional bit doubles the difficulty to crack. Under 40 bits is weak, 60–80 is decent for low-risk accounts, 100+ is strong, 128+ is overkill for most use cases. Entropy drops when you exclude character types or enable no-repeating (which reduces the pool as characters are used).

Yes, always. A password manager (Bitwarden is free and open-source, 1Password and Dashlane are excellent paid options, KeePass for offline use) lets you use a unique, complex password for every account without memorizing any of them. Credential stuffing — where an attacker uses leaked passwords from one site to break into others — is one of the most common attack vectors. A password manager completely eliminates this risk. Use a strong master password and enable two-factor authentication on the manager itself.

Ambiguous characters are those that look identical or very similar depending on the font: 0 (zero) and O (capital O), 1 (one), l (lowercase L), and I (uppercase i). Enable "No Ambiguous" when you need to type the password by hand — on a TV, gaming console, ATM, or any device where you cannot paste. It slightly reduces entropy (removes about 5 characters from the pool) but prevents frustrating misreads.

Two-factor authentication (2FA) adds a second verification step beyond your password: a time-based code from an app (Google Authenticator, Authy), an SMS code, a hardware key (YubiKey), or a biometric. Even if your password is compromised, an attacker cannot access your account without the second factor. Always enable 2FA on critical accounts: email, banking, password manager, work systems, and any account with payment information. An authenticator app is more secure than SMS, which is vulnerable to SIM-swapping attacks.

A passphrase is a sequence of random words: for example "correct-horse-battery-staple" (from the famous xkcd comic). Four random words from a 7,776-word list (Diceware) give approximately 51 bits of entropy. Five words give 64 bits. Six words give 77 bits. Passphrases are easier to memorize than random character strings and can be typed without a password manager. However, a 16-character random password with full character types still offers more entropy (105 bits) than a 5-word passphrase. Both approaches are valid. Use passphrases for accounts you need to type by memory, random passwords for everything stored in a manager.

Modern guidance from NIST (the US standards body) no longer recommends regular mandatory password changes. Frequent rotation causes people to choose weaker, predictable passwords (Password1, Password2...). You should change a password when: you know or suspect it has been compromised, a service you use reports a data breach (check haveibeenpwned.com), or you have shared it with someone. Strong, unique passwords that are not reused are the priority. If you are reusing passwords across sites, stop immediately — generate a new unique password for each account and store them in a password manager.

crypto.getRandomValues() is a browser-native API that fills an array with cryptographically secure random numbers using the operating system's entropy sources (hardware events, thermal noise, etc.). It is fundamentally different from Math.random(), which is a pseudo-random number generator designed for speed, not security. Math.random() output is predictable if the attacker knows the seed. crypto.getRandomValues() output is computationally indistinguishable from true randomness. This tool exclusively uses the secure API. Never use Math.random() for anything security-related.

Yes, with one exception: your password manager's master password. That one you need to memorize, since it is not stored anywhere. For the master password, use a long passphrase (6+ random words) that you can remember and type. Use a 24+ character random password generated here as your master password only if you are certain you can remember it or have a secure offline backup. For every other account, let your password manager store the generated password and never reuse it. The single most impactful security action most people can take is switching from reused passwords to unique ones managed in a password manager.