What is Password Generator?

The Password Generator creates cryptographically secure random passwords, passphrases, and PINs using your device's built-in crypto API. Switch between Password mode (customize length and character types), Passphrase mode (memorable word combinations), and PIN mode (4-12 digit numeric codes), and generate several at once. Your passwords never leave your device.

In Password mode the length is adjustable from 8 to 128 characters, and the four character classes (uppercase, lowercase, digits, 26 symbols) toggle on or off, with an option to exclude similar-looking characters. Passphrase mode strings together random words with a separator you choose, plus optional toggles to capitalize each word or drop a digit into one word for sites that demand a number. PIN mode produces purely numeric codes of 4 to 12 digits for phone locks, door codes, and bank cards. Generate up to 10 at once, then copy one, copy all, or download the batch as a .txt file. The live entropy reading turns rose, amber, emerald, or violet so you see strength changes as you adjust settings.

How to use

1. Choose Password, Passphrase, or PIN mode, set the length (8-128 characters), word count, or digit count, and pick which character types or options to include.
2. Click Generate to create a new password, or generate up to 10 at once to choose from.
3. Copy a result to the clipboard or download the batch. The strength meter shows how secure each one is.

When to use

• Setting up a new account when the site you're signing up to has no built-in password suggestion (most non-iCloud apps).
• Bulk-generating a list of unique passwords for staff onboarding or a batch of shared servers.
• Replacing a leaked password fast after a breach notification when a manager isn't installed yet.

Result

A 16-character password with all character types like 'k9$Bm2!xQp7#wL4n' has approximately 105 bits of entropy, which would take centuries to crack with current technology.

FAQ

What length should I pick for a website login versus a server root password?

16 characters with all four classes is fine for a website (about 105 bits of entropy). For server root, RADIUS, or anything an attacker can grind offline, jump to 24 or 32 characters since you'll paste rather than type these.

Why does my password get rejected for having a symbol the site doesn't allow?

The generator uses the safe set !@#$%^&*()-_=+[]{}|;:,.<>? but some banks block characters like < > ; & to avoid SQL injection legacy bugs. Turn off symbols, raise length to 24, and you'll still beat their rules on strength.

Are these passwords really random, or is the same password generated each time I open the page?

Each click runs crypto.getRandomValues, the same hardware-backed RNG that TLS handshakes and disk encryption keys use. Even regenerating immediately gives a completely different output, and nothing is logged or stored anywhere.

Will the downloaded .txt file be saved anywhere besides my device?

No, the file is created in memory and saved straight to your local Downloads folder. Nothing leaves your machine. Delete it after importing into your manager, because plaintext password files are the easiest credential leak.

Why does the strength meter turn violet instead of green for a very strong password?

We use four tiers: rose under 40 bits (weak), amber 40-59 (fair), emerald 60-79 (strong), violet 80+ (very strong). Violet is the top tier because emerald felt too plain and we wanted a clear visual stop at the practical-overkill threshold.

Related Tools