Generate a strong, random password with the click of a button. Tune the length and the character classes to match your target site's policy. The randomness comes from the browser's Web Crypto API — your password never leaves your machine.
Humans are bad at creating randomness. Picking your own password almost always results in something predictable — a name, a date, a keyboard pattern. A generator pulls true entropy from the operating system's secure random source, which makes the result impossible for an attacker to guess except by exhaustive search.
Length matters more than complexity. A 20-character lowercase-only password (~94 bits) is harder to crack than an 8-character password using all four classes (~52 bits). Aim for at least 80 bits of entropy for general accounts and 120+ bits for anything that protects your other passwords (master password, recovery key).
No. Generation uses crypto.getRandomValues() in your browser. The password is held in memory only and never transmitted. Closing the tab discards it.
It is a measure of how unpredictable a password is. Each bit doubles the search space for an attacker. 80 bits of entropy means an attacker would need to try on the order of 2^80 (~1.2 quadrillion billions) passwords to brute-force it — infeasible with current hardware.
Characters like the letter 'I' and digit '1', or letter 'O' and digit '0', look identical in many fonts. Excluding them makes the password easier to read and type if you ever need to do so manually. The trade-off is a small reduction in entropy.
For credentials you have to type yourself (laptop login, master password for a vault), a 5-7 word passphrase from a long wordlist hits ~70-90 bits of entropy and is much easier to remember than a random string of the same strength. For everything else — site logins, API keys — let your password manager generate and store a 16+ character random one and never type it.
Modern guidance (NIST SP 800-63B) is to rotate only on suspicion of compromise, not on a fixed schedule. Forced periodic rotation pushes people toward predictable variations (Spring2026!, Summer2026!) that are weaker than the original. Instead: pick a unique strong password per site, store it in a manager, and only change it if the site notifies you of a breach or you spot suspicious activity.
When you actually need a fresh strong password.
Generate a 16-character random password, paste it once into the signup form and store it in your password manager. You will never type it again.
If a site you use appears on haveibeenpwned, generate a new password here and update both the site and your manager — never reuse a leaked one.
Need a JWT secret, an API key, or a session-cookie key for a side project? Generate a 32-character mixed string and paste it into your .env.
Need a memorable but strong unlock code? Switch to digits-only, pick 6-8 characters, and avoid obvious sequences (1234, your birth year).
Habits that turn a generated password into one that actually protects you.
A 20-character random password is useless if you write it on a sticky note. 1Password, Bitwarden, or your browser's built-in vault all work — pick one and use it for every site.
20 lowercase letters has more entropy than 12 mixed-case-symbol characters. If a site rejects your password for being too long, that is a red flag about how it stores it.
Excluding 1/I and 0/O sacrifices a small amount of entropy. Only do it if you actually have to read the password off the screen — for paste-only flows, keep them.
A unique generated password protects against credential stuffing. Adding TOTP or a passkey on top protects against phishing and password leaks too. Always enable 2FA where offered.