How it works
We use crypto.getRandomValues — the browser's built-in
cryptographic random source — to draw bytes, then map them to your
chosen alphabet using rejection sampling so no character is biased.
The password is generated locally and never transmitted.
What makes a password strong?
- Length over complexity. A 20-character password from a-z is stronger than an 8-character mix of every set.
- Entropy bits measure how many guesses an attacker would need on average. 80+ is good, 128+ is excellent.
- Don't reuse. A unique password per site means one breach can't cascade. Use a password manager.
Guides
- How strong should my password be? — the bits-of-entropy answer, the math (alphabet × length), and why length beats complexity at every threshold.
FAQ
Is this password sent to a server?
No. Generation happens entirely in your browser using the Web Crypto API.
Is JavaScript's Math.random() safe for passwords?
No — it's a pseudo-random generator and is not cryptographically secure. We use crypto.getRandomValues, which is.
What does "exclude similar" do?
Removes characters that look alike (0/O, 1/l/I, |, quotes) so the password is easier to read and type without errors.
How many bits of entropy do I need?
For most personal accounts, 80 bits is plenty. For sensitive accounts (email, banking, password manager master password), aim for 128+.