the generator builds a password by drawing one character at a time from a pool that you control. you choose the length and which character classes can appear: lowercase letters, uppercase letters, digits, and symbols. the wider the pool and the longer the password, the harder it is to guess.
every character is picked using the browser's cryptographically secure random number generator, exposed through the standard `crypto.getRandomValues` api. this is the same primitive browsers use to seed tls handshakes and webauthn challenges. it is not the same as `Math.random`, which is fast but predictable and unsuitable for anything that touches a credential.
to avoid the modulo bias that you get when you reduce a 32-bit integer into a small character pool, the generator rejects any draw that would land in an unevenly mapped range and tries again. this keeps every character of the alphabet equally likely, which is the property your strength estimate actually relies on.
the strength indicator under the output is computed as shannon entropy: the base-2 logarithm of the pool size, multiplied by the password length. a 16-character password drawn from the full 94-character ascii pool carries about 105 bits of entropy, which is comfortably beyond the practical reach of offline brute force on commodity hardware.
when you sign up somewhere new and want a password your password manager will store but you will never have to type, generate at the longest length the site accepts, with all character classes on.
after a breach notification or a have i been pwned hit, replace the leaked password with a fresh random one. do not reuse a pattern based on the old one.
when you provision a non-human account or a backend integration, a 32-character password with symbols disabled is often the safest compromise between strength and copy-paste friendliness.
home network credentials live for years and get typed by guests on phones. a 20-character password with letters and digits, no symbols, is usually the right balance.
for one-time installer secrets or short-lived tokens, even 12 characters with full character classes is enough, as long as the value is rotated when the task is done.
this tool does not store your passwords. it does not sync them across devices, it does not remember them between visits, and it does not have a vault. if you close the tab, the value is gone. that is intentional, but it means you must paste the result into a password manager before navigating away.
the generator does not check whether a generated string has appeared in a known breach corpus, because that check would require either a network call to a third party or shipping a multi-gigabyte database to your browser. random output of sufficient length is statistically extremely unlikely to collide with leaked passwords, but the guarantee is probabilistic, not absolute.
some sites silently truncate passwords past a hidden length limit, or strip specific symbol characters during sign-up but accept them on login. if you ever find yourself locked out after using a long generated password, try a shorter version with only letters and digits before assuming the password is wrong.
a strong password protects you against credential guessing. it does not protect you against phishing, against malware on your own device, or against a service that stores passwords in plaintext on its side. those are different problems with different defences, mainly two-factor authentication and up-to-date software.
every step happens locally in your browser. the page contains a small piece of javascript that calls the browser's secure random number generator, builds the password in memory, and renders it to the screen. no part of the generation logic runs on a server.
we never see what you generate. there is no api call, no logging endpoint, no analytics event that captures the output. the only network activity tied to this page is the initial load of the site itself and, if you have given consent, anonymous aggregate analytics about page views and clicks. that telemetry never includes the passwords themselves.
when you use the copy button, the generated value is written to your operating system clipboard via the standard clipboard api. some operating systems share clipboard history across devices when you have that feature turned on; if your threat model cares about that, paste the password into your password manager and clear the clipboard before doing anything else.
for a password you let a manager remember, aim for at least 16 characters with all four character classes enabled. for a password you actually have to type, 12 characters with letters and digits is a reasonable floor. anything below 10 characters should be considered weak today, regardless of complexity.
yes. the generator uses `crypto.getRandomValues`, the standard cryptographically secure random number generator built into every modern browser. it is suitable for generating credentials and is the same primitive used by webauthn and tls. the older `Math.random` function is not used anywhere in this tool.
we use a curated set of symbols that are accepted by the vast majority of websites and easy to type on most keyboard layouts. some unusual symbols are technically valid but get silently rejected by sign-up forms, which leads to confusing failures. you can always paste the generated password into another tool if you need a wider charset.
mathematically every draw is independent, so two consecutive generations of the same length and options have effectively zero chance of colliding. for a 16-character password from the full ascii pool, the space of possible values is around 2 to the 105th power, far larger than any practical lookup table.
not yet. passphrases built from a curated wordlist are easier to type and almost as strong, and they are on the roadmap for this tool. for now, this generator focuses on random character strings, which is what most websites and api consumers expect.
no. the generator runs entirely in your browser. nothing is sent to a server, nothing is stored in cookies or local storage, and nothing appears in the analytics events we collect. when you close the tab, the password is forgotten.
paste it directly into your password manager and save it together with the username and the site url. do not paste it into a notes app, an email draft, or a chat window. on shared machines, clear your clipboard once the password is stored.
it does not. the meter is monotonic in length when the character pool stays the same. if the bar appears to drop, you almost certainly disabled a character class at the same time, which shrunk the pool. re-enable the class and the meter will recover.