Strong passwords come from length and randomness, not from a memorable trick. The generator uses your browser's cryptographic random source to produce something a human couldn't pick.
Length matters most. A 20-character lowercase-only password is stronger than a 10-character one with all the symbols. Aim for 16+ on routine accounts, 20+ on important ones, 24+ for masters.
Nothing is sent. The whole thing runs in your browser; open devtools and watch the network tab while clicking Generate — empty. Copy the result into a password manager and you're done.
How strong is "strong enough"?
Measure password strength in bits of entropy. Above 80 is good. Above 100 is overkill in a good way.
Entropy is the right way to measure password strength because it actually tells you something useful: how many guesses an attacker would need to try, in the worst case, to land on your password by brute force. Each bit of entropy doubles that number. 50 bits is a trillion guesses. 70 bits is a quadrillion. 100 bits is more guesses than the universe has time for.
Modern attackers can try roughly a billion guesses per second against poorly-hashed passwords, and a few thousand per second against properly-hashed ones. Even at the high end, anything above 80 bits is effectively unbreakable by brute force. The generator above shows you the entropy of whatever it produces — pick a length and character set that lands somewhere over 80, and you've solved the strength problem for the next decade.
Length vs complexity — and why length wins
Adding a character multiplies the attack space exponentially. Adding a character class only adds linearly.
Consider an 8-character lowercase password. The attacker has to try at most 26^8 = 208 billion combinations. Now imagine the policy is "you must include an uppercase, a number, and a symbol." That bumps the per-character choice from 26 to about 90, making the space 90^8 = 4.3 quadrillion. Looks impressive, ~20,000× more work for the attacker.
But now consider a 12-character lowercase password. 26^12 = 95 quadrillion combinations. Two extra characters of length beat the entire complexity rule. The reason is that length compounds — each character multiplies the work — while character classes only add to the per-character choices. Doubling length squares the attack space; doubling the character set only doubles it.
This is why most modern advice has shifted from "make it complex" to "make it long." A 20-character random string in any reasonable character set is unbreakable. A 10-character string with the kitchen sink of complexity rules might still be guessable by a determined attacker. Length first, complexity second.
Where the randomness comes from
The browser's cryptographic random API, which is backed by the operating system's secure random source.
The generator uses window.crypto.getRandomValues(), the standard Web Cryptography API for cryptographically-secure randomness. Behind the scenes, it asks the operating system for bytes from a true random source — on Linux, /dev/urandom; on Windows, BCryptGenRandom; on macOS, the system entropy pool. These sources mix hardware-level noise (timing jitter, interrupt patterns, ring oscillators on modern CPUs) into a stream that's indistinguishable from true randomness.
This is the same source used by your browser to generate TLS session keys, WebCrypto keys, and any other security-sensitive randomness it needs. If it weren't secure, the entire HTTPS web would be at risk. Using it for passwords is appropriate and battle-tested.
One subtle point: we apply a small modulus reduction to map random bytes to character indices. For non-power-of-two character set sizes, this can introduce a tiny bias. At password lengths of 12+ characters and character sets of 26+, the bias is far below anything an attacker could exploit. Truly bias-free generation is academically nicer but operationally identical.
When to use a passphrase instead
When you have to type or remember the password yourself, a four- to six-word passphrase is easier and just as strong.
Random character strings are great for storage in a password manager but awful to memorise. A passphrase — four to six random words from a large dictionary — gives you the same kind of strength with much better human ergonomics. "correct horse battery staple" has roughly 44 bits of entropy with a 2000-word dictionary; add two more words and you're past 80.
The key word is random. Picking your favourite four words isn't a passphrase — it's a guessable phrase. Use a generator (the EFF maintains a famous diceware-style word list) and accept whatever comes out. The result will be weird ("hotel basket midwife juniper") but easy to remember because it tells a tiny story.
Use a random character string for the 200 per-site passwords your password manager remembers for you. Use a passphrase for the one master password that unlocks the manager. That's the right ergonomic split.
Why you need a password manager
Because humans can't remember unique 20-character passwords for 200 sites, and reusing passwords is the single biggest security failure mode.
The hardest password problem isn't generating one strong password — that's easy. The hardest problem is having a different strong password for every site you use, because that's what protects you when one site gets breached and the attackers try the same email/password combo everywhere else.
A password manager makes this manageable. You memorise one strong master password (or use a hardware key), and the manager stores everything else encrypted under it. When you log in to a site, the manager fills the password for you. When you sign up, it generates a new random one. The maths works out: one master password + a manager + this generator = unique strong passwords everywhere, none of which you have to remember.
Popular options include Bitwarden (open source, free for personal use), 1Password (slick UX), and Apple's built-in iCloud Keychain. All three are well-engineered. Pick whichever fits your workflow and stop reusing passwords.
Frequently asked questions
How strong should a password be?
Length matters more than complexity. A 20-character password using just lowercase letters and numbers is stronger than a 10-character one with all the symbols and uppercase rules. Aim for at least 16 characters for accounts you care about, and 24+ for anything sensitive. Anything over 80 bits of entropy is essentially unbreakable by brute force.
Is the generator really random?
Yes. It uses your browser's built-in crypto.getRandomValues() function, which is backed by the operating system's cryptographically-secure random source. The output is indistinguishable from true randomness for any practical purpose.
Does the password get sent to your server?
No. The entire generator runs in your browser. The password is created in JavaScript on your device, displayed on the page, and never leaves it. You can verify this by opening your browser's network tab while clicking Generate — nothing will be sent.
Should I use this for my master password?
It's safe for any password you intend to copy into a password manager. For a master password you have to remember by hand, a passphrase (four to six random words) is easier to memorise than a random string of the same strength.
Why does length matter more than complexity?
Because each additional character multiplies the number of possible passwords by the size of the character set. Length compounds; complexity adds. A 20-character lowercase password beats a 10-character all-classes one by a wide margin.
What's a good rule of thumb for length?
For routine accounts (shopping, forums): 14 to 16 characters. For email, banking, work logins: 20+. For master passwords or accounts that protect other accounts: 24+. The generator defaults to 20 because that's the sweet spot for most users.
Should I include symbols?
If the site allows them, yes — they boost entropy. But never let symbol policy force you below 16 characters. If a site rejects long passwords or insists on a specific pattern, that's a sign of bad password handling.
Why exclude similar characters?
Some character pairs are hard to distinguish in many fonts — 0 vs O, 1 vs l vs I. If you'll ever read the password out loud or copy it by hand, excluding these makes life easier. The cost is a tiny reduction in entropy that doesn't matter at the lengths the generator uses by default.