How long should my password be?

16 characters with mixed classes is a comfortable default (~105 bits of entropy). Go to 20+ for master passwords, SSH key passphrases, or anything that protects a long-lived secret.

Password or passphrase — which is stronger?

Per character, random passwords are much denser. A 20-character random password ≈ 131 bits; a 6-word passphrase from this tool ≈ 48 bits. Both defeat any realistic brute-force attack, but use random passwords inside a manager and passphrases when a human will type them.

Why exclude look-alike characters?

When someone has to read a password off a screen or paper, 0/O and 1/l/I get confused constantly. Turn the toggle on for human-handled passwords; leave it off when a manager will handle the string — stripping characters shrinks the alphabet and lowers entropy per slot.

Can I use these passwords for encryption keys?

Only after stretching them through a proper KDF (scrypt, Argon2, PBKDF2). A generated password is a high-entropy seed, but symmetric encryption expects a fixed-size key derived with a slow hash and a salt.

$password-generator

Q: Are the passwords actually random?

Yes. The tool uses crypto.getRandomValues with rejection sampling so every character is drawn uniformly from the selected pool. There is no seed, no PRNG state reuse, and nothing is sent to a server.

Generators

Generate cryptographically secure random passwords or memorable passphrases. Tune length, character classes, and bulk count. Runs entirely in your browser via the Web Crypto API.

Length20

4128

Character classes

Lowercase (a–z)Uppercase (A–Z)Digits (0–9)Symbols (!@#$…)

Options

Exclude look-alikes (0/O, 1/l/I, …)Require at least one of each selected class

How many1 – 100

5 results130 bits of entropyExcellent

12<^Pc)E+5r{PYR%&7Vq)
2rl-)7{e7Ad,Z,Nt#G3GM
3uR71Hl!u9M0TbWp;V>-9
49M#@/3W7IyWIMBu@vD3e
5@P<e4X,8CLg@GXAbXTLC

How to generate a strong password

A password is only as strong as its entropy — the number of random bits that went into picking it. This tool uses the browser's Web Crypto API (crypto.getRandomValues) with rejection sampling so every character is drawn uniformly from the selected pool. Nothing is ever sent to a server.

Pick a mode. Random passwords maximize entropy per character — best when a manager will store them for you. Passphrases are easier to type on a phone and easier to read aloud when you need to share them once.
Tune the length.Aim for at least 16 characters for new accounts, or 20+ if the password will guard a long-lived secret (SSH key passphrase, encrypted backup). Keep “require at least one of each selected class” on so sites with strict rules accept the output on the first try.
Exclude look-alikes if someone will transcribe it. The toggle strips characters that are easy to confuse in common fonts (0/O, 1/l/I, plus a few ambiguous symbols). Leave it off for machine-handled passwords — stripping characters lowers entropy per slot.
Generate in bulk. Crank up the count to get a stack of candidates, then pick the one you like. Use the Copy all or Download button to keep the full list when seeding test users or rotating a fleet of service accounts.

Password vs passphrase — which to pick?

A 20-character password with all four classes enabled has roughly 131 bits of entropy — effectively impossible to brute-force. A 6-word passphrase from the 256-word list here has ~48 bits, or ~64 bits at 8 words. Both are strong enough for everyday accounts. Choose passphrases when you'll need to type the secret on a touchscreen or dictate it to a phone-support rep; choose random passwords when a password manager is in the loop.

Never roll your own hashing to “protect” a password you generate here. Sites store passwords using bcrypt, scrypt, or Argon2 — dedicated slow-hash functions with built-in salting. Plain SHA-256 or MD5 of a password is the wrong tool for storage.