Password Generator
Free password generator: build a strong, random password online with crypto-secure characters, your choice of length and character types. Runs in your browser.
Updated 2026-06-09 · Free · No sign-up · Runs privately in your browser
What is a password generator?
A password generator creates a random password from the character types you choose, using a cryptographically secure random source so the result is unpredictable. This tool lets you pick a length from 4 to 128 and toggle four character sets — lowercase, uppercase, digits and symbols — then builds a fresh password and rates its strength in bits of entropy. Every password is generated locally in your browser and is never sent anywhere.
What does this tool do?
It assembles a character pool from the options you tick and draws each position from that pool at random. Lowercase adds the 26 letters a-z, uppercase adds the 26 letters A-Z, digits add 0-9 (10 characters), and symbols add the 24 marks !@#$%^&*()-_=+[]{};:,.?/. With all four enabled the pool is 86 characters. You set the length, click Generate, and copy a password that no dictionary or pattern could guess. A live strength label tells you whether the result is Weak, Fair, Strong or Very strong.
How does it work?
Two things make a generated password good: a large character set and enough length. The tool measures the combination as entropy, the number of truly random bits behind the password.
The formula is:
entropy (bits) = length × log₂(character-set size)
Here the character-set size is how many distinct characters could appear in each position (the sum of the sets you enabled), and length is how many characters the password has. Each character is selected with the browser’s crypto.getRandomValues, a cryptographically secure generator that produces a uniform, unbiased choice across the pool — unlike Math.random, which is predictable and unsuitable for secrets. If you untick every type, there is no pool to draw from, so the tool reports an error instead of producing a password.
The set sizes are fixed per type:
- Lowercase
a-z— 26 characters - Uppercase
A-Z— 26 characters - Digits
0-9— 10 characters - Symbols
!@#$%^&*()-_=+[]{};:,.?/— 24 characters
The strength label maps the entropy to four tiers: under 40 bits is Weak, under 70 is Fair, under 100 is Strong, and 100 bits or more is Very strong. Because entropy grows with both length and set size, the quickest way to a stronger password is to add characters, enable more types, or both.
Examples
Each example applies the same formula, length × log₂(set size), and the same tier cutoffs. The exact characters differ every click because they are drawn at random, so these show the strength outcome, not a fixed string.
Example 1 — 16 characters, all four types (set size 86). Entropy is 16 × log₂(86) ≈ 16 × 6.43 = 103 bits. That is 100 bits or more, so the rating is Very strong. This is the recommended baseline for an everyday strong password.
Example 2 — 8 characters, lowercase only (set size 26). Entropy is 8 × log₂(26) ≈ 8 × 4.70 = 38 bits. That is under 40, so the rating is Weak. Short and single-type passwords stay weak no matter how random.
Example 3 — 12 characters, all four types (set size 86). Entropy is 12 × log₂(86) ≈ 12 × 6.43 = 77 bits. That lands between 70 and 100, so the rating is Strong — solid, though stretching to 16 characters pushes it into Very strong.
Two levers move every result: adding character types enlarges the set (raising log₂(set size)), and adding length multiplies that value. Going from Example 2 to Example 1 — more types and double the length — lifts the password from 38 to 103 bits.
Strength tiers and entropy reference
This table shows the four labels the tool uses and worked entropy values for common settings. Bits are rounded; the tier is decided by the exact value against the cutoffs (under 40, under 70, under 100, 100+).
| Length | Types enabled | Set size | Entropy (bits) | Rating |
|---|---|---|---|---|
| 4 | all four | 86 | 26 | Weak |
| 8 | lowercase only | 26 | 38 | Weak |
| 8 | all four | 86 | 51 | Fair |
| 12 | lowercase only | 26 | 56 | Fair |
| 12 | all four | 86 | 77 | Strong |
| 16 | upper + lower + digits | 62 | 95 | Strong |
| 16 | all four | 86 | 103 | Very strong |
| 20 | all four | 86 | 129 | Very strong |
The pattern is consistent: a small set or a short length keeps you in Weak or Fair, while 16-plus characters across all four types reliably reaches Very strong. Use the rating as a quick check, then lengthen the password if it is not where you want it.
Common uses
A secure random password is the right choice almost anywhere you create a credential:
- New account sign-ups — generate a unique 16-plus-character password per site so one breach never unlocks the others.
- Resetting a compromised login — replace a reused or leaked password with a fresh random one rated Very strong.
- Storing in a password manager — let the manager remember a long random string you never have to type, so length costs you nothing.
- Wi-Fi and router keys — produce a strong key for network access that resists guessing and brute force.
- Database, admin and service accounts — create high-entropy credentials for systems where a weak password would be a real risk.
Tips and common mistakes
A few habits get the most out of the generator:
- Favour length first. Going from 12 to 20 characters raises entropy more reliably than swapping one character type, because length multiplies the whole formula.
- Enable all four types when the site allows it. Each type you add enlarges the set and the per-character entropy; symbols add 24 characters on their own.
- Do not hand-edit the result. Deleting symbols or trimming length to “make it easier” lowers entropy and can drop the rating a whole tier.
- Never reuse a generated password. The strength only helps if the password is unique per account; reuse re-exposes you whenever any one site is breached.
- Treat “Very strong” as necessary, not sufficient. A high entropy score does not protect you from phishing, malware or a reused password — store the result safely.
Limitations and notes
The strength figure is an entropy estimate for a fully random password of the given length and set, not a guarantee. It assumes every character was chosen independently and uniformly, which is exactly how this tool generates them — but the same number would overstate the strength of a human-chosen password built from words or patterns. The rating also does not know where the password is used; entropy says nothing about phishing, keyloggers, weak server hashing or password reuse, which are separate risks. Length is capped between 4 and 128, and if no character type is selected the tool cannot build a pool and reports an error rather than returning an empty or predictable string. Everything runs privately: each character comes from crypto.getRandomValues executing in your browser, so the password is never uploaded, logged or stored, and the generator keeps working offline once the page has loaded.
For more generators, pair this with the UUID generator for unique identifiers or the word counter to check text length, and browse the full generators category.
Frequently asked questions
How do I generate a strong password with this tool?+
Set the length (try 16 or more), tick lowercase, uppercase, digits and symbols, then click Generate. Copy the result; it is created securely in your browser.
How long should my password be?+
Aim for at least 16 characters with all four character types. That reaches about 103 bits of entropy, which the tool rates Very strong.
What strength does a 16-character password with all four types get?+
With a 86-character set, 16 × log₂(86) ≈ 16 × 6.43 = 103 bits, so it scores Very strong (100 bits or more).
Why is an 8-character lowercase-only password weak?+
Its set is just 26 letters, so 8 × log₂(26) ≈ 8 × 4.70 = 38 bits, which falls under 40 and is rated Weak. Add length and character types to fix it.
Are these passwords truly random and secure?+
Yes. Each character is drawn uniformly with crypto.getRandomValues, a cryptographically secure generator, not Math.random, so the output is unpredictable.
Is my password sent to a server or saved?+
No. The password is generated locally in your browser, so nothing is uploaded, logged or stored, and it keeps working offline once the page loads.
How is the strength rating calculated?+
It estimates entropy in bits as length × log₂(set size): under 40 Weak, under 70 Fair, under 100 Strong, 100 or more Very strong.
Which characters can the symbols option include?+
The 24 symbols are ! @ # $ % ^ & * ( ) - _ = + [ ] { } ; : , . ? / used to enlarge the character set and raise entropy.