Password Generator

-

Entropy
Character Set Size
Estimated Strength
#Password

How Passwords Are Generated Here

This tool builds each password by drawing random values from window.crypto.getRandomValues(), the Web Crypto API's cryptographically secure pseudo-random number generator (CSPRNG) — not Math.random(), which is fast but predictable enough that its output should never be used for anything security-sensitive. Each character position is filled by using a rejection-sampling step on a random byte to pick an index into your selected character set uniformly, which avoids the subtle bias you get from a plain modulo operation on raw byte values. If you require at least one character from each selected set (uppercase, lowercase, numbers, symbols), the generator guarantees this by seeding one random position per required set with a random member from that set, then shuffling the entire password with a Fisher-Yates shuffle (also driven by the CSPRNG) so the guaranteed characters don't end up predictably clustered or fixed to specific positions.

What "Entropy" Means and Why Length Beats Complexity

Password strength is measured in bits of entropy, calculated as length × log₂(character set size). A 12-character password using all four character classes (26 + 26 + 10 + 32 = 94 possible characters) has about 12 × log₂(94) ≈ 78.7 bits of entropy. Adding four more characters increases that to roughly 105 bits — a far bigger security gain than adding one more character class to a short password. As a rough guideline, security practitioners generally consider 60+ bits adequate for most accounts and 80+ bits strong even against offline attacks with modern hardware, though the exact number depends heavily on the attacker's resources and the hashing algorithm protecting the password on the server side, so treat these thresholds as ballpark guidance rather than a hard guarantee.

Storing and Using Generated Passwords Safely

A long, random password is only useful if you can actually remember or retrieve it — use a reputable password manager rather than reusing passwords or writing them down in plain text. If you're setting up numeric PINs or need a quick way to convert between representations while managing accounts, the Base64 encode/decode tool and Roman numeral converter are handy companions for other everyday conversions.

Frequently Asked Questions

Does this tool use a cryptographically secure random number generator?

Yes. Every character is chosen using window.crypto.getRandomValues(), the browser's Web Crypto API CSPRNG, rather than Math.random(), which is not safe for generating security-sensitive values like passwords.

If I require uppercase, lowercase, numbers, and symbols, will they always appear, and in a predictable spot?

The generator guarantees at least one character from each selected set is included, then shuffles the entire password with a Fisher-Yates shuffle (also using the CSPRNG) so those required characters end up in random positions rather than a fixed, guessable pattern.