What Makes a Strong Password?
A strong password has three qualities: length, randomness, and character variety. Length is the most important factor. A 16-character password with only lowercase letters has 2616 ≈ 43 trillion trillion possibilities — already extremely hard to brute-force. Adding uppercase, numbers, and symbols multiplies the search space even further.
The weakest passwords are short, predictable, or reused across sites. The strongest passwords are long, fully random, and unique to each account — which is why a password manager is essential when you generate truly random passwords.
Password Length Guide
- 8 characters: Minimum for low-stakes accounts. Not recommended for anything important.
- 12 characters: Acceptable for most accounts if using all character types.
- 16 characters: Recommended for most accounts. Strong against current hardware.
- 20+ characters: Use for high-value accounts: email, banking, password manager master password.
- 32+ characters: API keys, service credentials, anything that doesn't need to be memorized.
Is This Password Generator Safe?
Yes. This tool uses the browser's built-in crypto.getRandomValues() API, which provides cryptographically secure random numbers. The generated passwords are never sent to any server, never logged, and never stored. They exist only in your browser until you close or clear the page.
This is the same random number source used in cryptographic applications — it is not predictable, not seeded from the time, and not reproducible.
Exclude Ambiguous Characters
When you need to type a password manually (not copy-paste), ambiguous characters like 0 (zero) and O (capital o), or l (lowercase L) and 1 (one) and I (capital i) are easy to confuse. Enable "Exclude ambiguous" to remove these from the character set.
Should I Use a Password Manager?
Yes. A truly strong password is one you cannot memorize — which means you need a password manager to store it. Bitwarden (free, open-source), 1Password, and Dashlane are excellent options. Store the passwords generated here in your password manager, never in a plain text file or browser notes.
Frequently Asked Questions
How random are the passwords generated? +
Passwords are generated using crypto.getRandomValues() — the browser's cryptographically secure pseudo-random number generator (CSPRNG). This is the same source used for generating encryption keys and is not predictable from external information like the current time.
Are the generated passwords stored anywhere? +
No. Generation happens entirely in your browser's JavaScript engine. No password, partial password, or any input is transmitted to a server. The page has no server-side component at all.
What symbols are included? +
The symbol set is: ! @ # $ % ^ & * ( ) - _ = + [ ] { } | ; : , . ? — a common set that is accepted by most password fields. Rare symbols like backtick, backslash, and angle brackets are excluded to avoid compatibility issues.
How many characters should my password be? +
16 characters is a strong default for most accounts. For your password manager master password or email account (which can be used to reset everything else), use 20+ characters. For API keys and service credentials you never need to type, 32 characters is ideal.
Why shouldn't I use dictionary words? +
Dictionary attacks try millions of common words and phrases before resorting to random character combinations. Even "correct-horse-battery-staple" can be tested in a dictionary attack against passphrase lists. Truly random characters offer the highest entropy per character.