Strong Random Password Generator
Generate a strong random password from 4 to 128 characters using your browser's Web Crypto API. Pick uppercase, lowercase, numbers, and symbols, then copy in one click. Free and 100% in your browser.
Your Secure Password
0 characters • to crack
Password Options
Instant Generation
Generate strong passwords with a single click. Customize options in real-time.
Strength Analysis
Real-time password strength meter with crack time estimation.
100% Private
All generation happens locally. Your passwords never leave your browser.
Strong Random Password Generator: Secure, In-Browser, Free
A password generator builds a random string from a pool of characters so attackers can't guess it. Set a length of 4 to 128, choose uppercase, lowercase, numbers, and symbols, and copy the result. Every character is drawn from your browser's Web Crypto API (a CSPRNG), not the predictable Math.random. It runs 100% in your browser, free, with no upload.
How to generate a strong password
- Drag the Length slider to any value from 4 to 128. The default is 16, which gives roughly 103 bits of entropy with all sets on.
- Toggle which character sets to include: uppercase (A–Z), lowercase (a–z), numbers (0–9), and symbols (
!@#$%^&*()and more). - Enable Exclude Ambiguous if the password will be typed by hand — it removes the look-alikes
l 1 I 0 O. - Read the live strength meter and crack-time estimate to confirm the result is "Very Strong" before you use it.
- Press Copy to send it to your clipboard, or Regenerate for a fresh random string with the same settings.
How password entropy and the CSPRNG work
Password strength is measured in bits of entropy, given by the formula E = L × log₂(R), where L is the length and R is the size of the character pool. Each extra character multiplies the keyspace, which is why length beats complexity: adding one more character does far more than adding one more symbol type. With all four sets enabled, this tool draws from an 88-character pool (26 + 26 + 10 + 26 symbols), so a 16-character password reaches about 103 bits.
Randomness comes from the browser's Web Crypto getRandomValues — a cryptographically secure PRNG (CSPRNG). The non-secure Math.random() is explicitly "not cryptographically secure" per MDN and must never seed passwords. After filling the string, the tool runs a Fisher-Yates shuffle (also using secure bytes) so the guaranteed character from each set isn't stuck at the front.
"Verifiers and CSPs SHALL require passwords used as a single-factor mechanism to be a minimum of 15 characters in length… and SHOULD permit a maximum of at least 64 characters."— NIST SP 800-63B Rev. 4 (2025)
NIST Rev. 4 also drops composition rules (no forced mixes of symbols) and periodic resets — password rotation is only required when there is evidence of compromise. For a memorable alternative, six random words from the EFF Diceware list carry about 77.5 bits (log₂(7776) ≈ 12.92 bits per word × 6), roughly equal to a 12-character full-charset password here.
Worked examples: settings → result
16 chars · all sets on (default)
k7$Rm2!qWxZ9pL@4 · ~103 bits · rated Very Strong
8 chars · lowercase only
qmxkrtwz · ~37.6 bits · penalized: letters-only triggers −10
20 chars · exclude ambiguous on
Tz8#vKn4@Rj6mWq2!sPx · no l 1 I 0 O · safe to read aloud
Edge case · CSPRNG vs Math.random & modulo bias
This tool maps each random 32-bit value to a character with value % charset.length. Because 2³² is not an exact multiple of 88, the first 16 characters of the pool are very slightly more likely (a bias of about 1 part in 2.7×10⁷ — cryptographically negligible). The real failure mode is using Math.random for passwords: its output is predictable and seedable, so a generator built on it can be reproduced by an attacker.
Entropy reference: length × charset
Bits are computed as length × log₂(charset size) using this tool's real pools (lowercase = 26, alphanumeric = 62, all sets on = 88). Aim for 80+ bits for important accounts.
| Length | Lowercase (R=26) | Alphanumeric (R=62) | All sets (R=88) |
|---|---|---|---|
| 8 | 37.6 bits | 47.6 bits | 51.7 bits |
| 12 | 56.4 bits | 71.5 bits | 77.5 bits |
| 16 (default) | 75.2 bits | 95.3 bits | 103.4 bits |
| 20 | 94.0 bits | 119.1 bits | 129.2 bits |
The guarantee most generators skip
This tool doesn't just sample randomly — it guarantees one character from every set you enable before filling the rest. With all four sets on, the first four picks are a forced uppercase, lowercase, digit, and symbol; the remaining length − 4 characters are random across the full 88-char pool. A final Fisher-Yates shuffle scatters those forced characters, so you never see a tell-tale "Aa1!…" prefix. That matters because a strength check that requires every type would otherwise reject a purely random string that happened to omit, say, a digit.
One real limit: the strength meter penalizes patterns. Three or more repeated characters costs −10, letters-only costs −10, and digits-only costs −20. So an 8-character lowercase password lands at "Weak" even though its raw entropy is 37.6 bits — a deliberate nudge toward longer, mixed output.
Runs 100% in your browser
Your password never leaves your device. It is generated locally with crypto.getRandomValues and copied with your browser's native clipboard — no uploads, nothing leaves your device. I tested generation at lengths 4, 16, 20, and the 128 cap, with every combination of sets, and with Exclude Ambiguous on and off. Disabling all four sets returns an empty string by design, and the live strength and crack-time readouts update on every change without lag.
Frequently asked questions
Is this password generator free?
Yes — 100% free with no signup and no usage cap. Generate as many passwords as you need; each one is yours to use anywhere.
Does my password get uploaded anywhere?
No. Everything is generated and copied in your browser with JavaScript and the Web Crypto API. No password is sent to a server, so the tool works offline once the page loads.
How long should my password be?
NIST SP 800-63B Rev. 4 requires at least 15 characters for single-factor use. The default here is 16 with all sets on (~103 bits); bump it to 20+ for primary accounts.
Why does length matter more than symbols?
Because entropy is length × log₂(charset). Each added character multiplies the keyspace, while one extra symbol type only adds it once — so a longer simple password beats a short complex one.
Related security & generator tools
Score any password's entropy offline
UUID GeneratorCreate random non-guessable IDs
Random Number GeneratorDraw secure random numbers in a range
Hash GeneratorHash credentials with SHA-256
HMAC GeneratorSign messages with a secret key
QR Code GeneratorEncode a Wi-Fi password as a QR code
Number Base ConverterConvert between hex, binary & decimal
HTTP Status CodesLook up 401, 403 & auth responses
Cron Expression BuilderSchedule a password-rotation job
Guide: Create a Strong PasswordWhy length beats complexity
Guide: Hashing vs EncryptionHow passwords are stored safely
All ToolsBrowse the full toolk hub
Last updated: June 2, 2026 · Runs 100% in your browser — no uploads, nothing leaves your device.
Need a different tool?
Browse all 89 free, in-browser tools — or tell us what we should build next.