Password Generator
Generate cryptographically secure passwords & passphrases
How it works
This generator uses crypto.getRandomValues(), the Web Crypto API built into every modern browser. It draws entropy from your operating system's cryptographic random number generator (e.g., /dev/urandom on Linux, CryptGenRandom on Windows). This is the same source of randomness used by TLS, SSH, and other security-critical protocols. No Math.random() is used anywhere — every bit of output is cryptographically secure.
Frequently Asked Questions
Are these passwords truly random?
Yes. This tool uses crypto.getRandomValues(), the Web Crypto API built into every modern browser. It draws entropy from the operating system's cryptographic random number generator (e.g., /dev/urandom on Linux, CryptGenRandom on Windows). This is the same source of randomness used by TLS, SSH, and other security-critical software.
Is my generated password sent to any server?
No. All password generation happens entirely in your browser using JavaScript. Zero network calls are made with your password data — no fetch, no XMLHttpRequest, no WebSocket, no beacon. Your passwords exist only in browser memory and are never stored in localStorage, sessionStorage, or cookies.
Should I use a password or a passphrase?
Both are secure when generated randomly. Passwords are shorter but harder to memorize. Passphrases like tiger-ocean-bridge-castle are easier to remember and type while still providing excellent entropy. A 4-word passphrase from a 200-word list provides about 31 bits of entropy; use 5-6 words for higher security.
How long should my password be?
At minimum 12 characters, but 16 or more is recommended. Longer passwords exponentially increase the number of possible combinations an attacker must try. With all character types enabled (uppercase, lowercase, numbers, symbols), a 16-character password has over 1030 possible combinations.