Password Generator

Why I Built This Password Generator

I needed a password generator I could trust. Most online generators either look suspicious, require signup, or don't explain how they work. This tool uses the Web Crypto API for proper randomness and runs entirely in your browser. No passwords are ever sent anywhere.

The entropy display is what makes this tool actually useful for me. Instead of vague "strong" or "weak" labels, I can see exactly how many bits of entropy my password has. When I'm setting up a master password or encryption key, I want to know the math, not just a color bar.

What I Actually Use This For

• Service Passwords - 16-24 character passwords for web services
• Master Passwords - 32+ character passwords for password managers
• API Keys - Long, random strings for development
• Encryption Passphrases - High-entropy strings for disk encryption
• Temporary Passwords - Quick passwords for testing or sharing

I often use this alongside the Hash Generator when I need to create password hashes for configuration files, and the UUID Generatorfor generating unique identifiers.

Understanding Password Strength

Here's how I think about password strength:

• Weak (<40 bits) - Can be cracked quickly with modern hardware. Never use for anything important.
• Medium (40-59 bits) - Offers basic protection but won't survive a determined attack. Fine for low-value accounts.
• Strong (60-79 bits) - Good for most purposes. Would take years to crack with current technology.
• Very Strong (80+ bits) - Practically uncrackable. Use for master passwords and encryption keys.

The Math Behind Entropy

Entropy is calculated as log2(charset_size ^ length). A 16-character password using uppercase, lowercase, numbers, and symbols (88 characters) has about 103 bits of entropy. Each additional character type or length increase multiplies the number of possible combinations.

For reference, Bitcoin private keys use 256 bits of entropy. A 40-character password with full character set exceeds that. The universe will end before such a password could be brute-forced.

Best Practices I Follow

After years of dealing with security breaches and password resets, here's what I've learned:

• Use a password manager - There's no way to remember strong, unique passwords for every service. I use Bitwarden.
• One password per service - Never reuse passwords. When one site gets breached, attackers try those credentials everywhere.
• 16+ characters minimum - Length beats complexity. A 20-character lowercase password is stronger than an 8-character one with symbols.
• Exclude ambiguous characters for manual entry - If I need to type a password on a phone or read it to someone, avoiding 0/O/l/1/I saves frustration.
• Generate, don't create - Humans are terrible at randomness. Let the computer do it.

Why Browser-Based Generation is Safe

The Web Crypto API provides the same quality of randomness as your operating system. It's used by banks, government agencies, and security professionals. Your browser doesn't send the random numbers anywhere - they're generated locally and stay on your machine.

This is actually more secure than many desktop password generators because the code is auditable - you can open browser dev tools and see exactly what's happening. There's no binary to trust, no installation that could be compromised.

Related Articles

• Password Security: Why Random Beats Clever Every Time
• Secure Password Hashing - MD5, SHA-256, and Beyond

Frequently Asked Questions

Is this password generator secure?

Yes. It uses crypto.getRandomValues(), the same cryptographic random number generator used by banks and security applications. All generation happens in your browser - passwords are never transmitted anywhere.

What is password entropy?

Entropy measures how unpredictable a password is, expressed in bits. Each bit doubles the number of possible passwords. A 40-bit password has about 1 trillion possibilities. An 80-bit password has about 1.2 septillion - more than atoms in a human body.

How long should my password be?

For everyday accounts: 16+ characters. For password managers or encryption: 24-32+ characters. Length is more important than complexity. A 20-character password using only lowercase letters is stronger than an 8-character password with all character types.

Why exclude ambiguous characters?

Characters like 0 (zero) vs O (letter), or 1 (one) vs l (lowercase L) vs I (uppercase i) look nearly identical in many fonts. If you ever need to type the password manually or read it to someone, excluding these characters prevents frustrating mistakes.