Password Generator
Cryptographically-secure random passwords. Pick length and character classes — uppercase, lowercase, numbers, symbols. Generated locally in your browser.
Character classes
Generated locally in your browser — nothing is uploaded or logged. Open DevTools → Network to verify zero requests.
How it works
This tool calls crypto.getRandomValues(new Uint32Array(length)) to fill an array with cryptographically random 32-bit integers, then maps each integer to a character by taking value % charset.length. The Web Crypto API is seeded by the operating system — on macOS/Linux via /dev/urandom, on Windows via BCryptGenRandom — and is the same source used by TLS and SSH key generation.
const buf = new Uint32Array(length);
crypto.getRandomValues(buf); // OS-seeded CSPRNG
const pwd = Array.from(buf)
.map(v => charset[v % charset.length])
.join("");Modulo bias: When the charset length is not a power of 2, values near the top of the Uint32 range are slightly more likely to map to lower charset indices. For a charset of 76 symbols this bias is less than 0.002% — negligible for password generation purposes. A rejection-sampling approach would eliminate it entirely but adds complexity without meaningful security benefit for this use case.
Entropy formula: bits = length × log2(charset_size). A 16-character password over a 76-character charset yields approximately 16 × 6.25 = 100 bits — well beyond the 80-bit threshold considered computationally infeasible to brute-force with current hardware.
Frequently asked questions
How is this random?▼
This tool uses the browser's Web Crypto API — specifically crypto.getRandomValues() — which is cryptographically secure. It is seeded by the operating system's entropy pool (hardware events, device timings). This is fundamentally different from Math.random(), which is a pseudo-random number generator not suitable for security-sensitive values.
What's a strong password length?▼
12+ characters for most online accounts, 16+ for sensitive accounts (banking, email, cloud storage), and 20+ for a password-manager master password. Length is the single biggest factor in password strength — each extra character multiplies the brute-force search space by the charset size.
Are these passwords saved anywhere?▼
No — passwords are generated entirely in your browser via JavaScript. No server call is made and nothing is logged. You can verify this yourself by opening DevTools → Network tab and watching for zero requests when you generate a password.
Should I include symbols?▼
Yes, when the service allows it. Symbols expand the charset from ~62 to ~76 characters, adding roughly 0.3 bits of entropy per character — significant over a 16-char password. Only skip symbols if a specific service explicitly rejects them, and prefer a longer password in that case.
Powered by Pyrelo
The complete work dashboard for small teams
Developer tools, finance calculators, and business utilities — all in one flat-priced dashboard.
See Pyrelo Dashboard