How Passwords Are Generated
This generator uses window.crypto.getRandomValues(), the browser's cryptographically secure random number generator. It builds a character pool from your selected options, then draws characters one at a time from the pool using a random index derived from the secure RNG. At least one character from each enabled group is guaranteed to appear in the final password.
Password Strength Scoring
The strength bar estimates entropy: the number of bits required to represent all possible passwords of your chosen length and character set. Below 40 bits is Weak; 40-59 is Fair; 60-79 is Strong; 80 or more bits is Very Strong. At 20 characters with all four character types (~96 characters in the pool), entropy exceeds 130 bits, which is far beyond practical brute-force range.
Frequently Asked Questions
Yes. This generator uses the browser's built-in cryptographically secure random number generator (window.crypto.getRandomValues), which is the same API used by security-focused password managers. All generation happens locally in your browser. No password or input is sent to any server, stored in a database, or logged anywhere.
Security guidelines from NIST (the US National Institute of Standards and Technology) recommend passwords of at least 15 characters for general use. Longer is always better: a 20-character random password is exponentially harder to crack than a 12-character one, even if both include special characters. Use a password manager to store long, unique passwords for every account.
Including uppercase letters, lowercase letters, numbers, and special characters significantly increases the number of possible combinations (entropy), making a brute-force attack much harder. However, some sites restrict special characters. This generator lets you choose which character types to include, so you can match any site's requirements.
A strong password is long (at least 15 characters), random (not based on words, names, or dates), unique (never reused across accounts), and complex (mixing character types). The most important factor is length and randomness, not complexity alone. A 20-character random lowercase string is stronger than an 8-character string with symbols.
A password manager stores unique, randomly generated passwords for every account so you only need to remember one master password. Without a manager, people tend to reuse passwords, which means one breach exposes all accounts. Popular options include Bitwarden (free, open source), 1Password, and Dashlane.
Related Calculators
More tools in the Developer Tools category.