Password Generator
Generate cryptographically secure random passwords instantly online. Choose length, character sets (uppercase, digits, symbols), and generate up to 10 at once. Runs entirely in your browser.
Related Tools
Unix Timestamp
Convert Unix timestamps to UTC, local time, and ISO 8601 instantly. Auto-detects seconds vs milliseconds.
Base Converter
Convert numbers between decimal, hex, binary, and octal instantly. Free and runs in your browser.
Hash Generator
Generate SHA-1, SHA-256, SHA-384, and SHA-512 hashes instantly. Runs entirely in your browser using the Web Crypto API.
Secure password generation requires a cryptographically secure pseudorandom number generator (CSPRNG), not Math.random(), which is a deterministic algorithm seeded from a predictable source and unsuitable for security-sensitive values. NIST SP 800-63B recommends passwords of at least 8 characters for memorized secrets and longer random strings for machine-generated credentials.
Generated passwords are used for initial user account credentials, API keys and service account passwords, database user passwords, Wi-Fi passphrases, encryption passphrases for backups, and temporary secrets in development environments. Password managers (1Password, Bitwarden, KeePass) generate passwords the same way — using OS entropy from /dev/urandom or equivalent.
This tool generates passwords using crypto.getRandomValues(), the browser's CSPRNG backed by the operating system's entropy source (equivalent to /dev/urandom on Linux). Character sets (uppercase, lowercase, digits, symbols) are configurable, and length is adjustable from 8 to 128 characters. Generation happens entirely in the browser — no password values are transmitted anywhere.
Common Use Cases
Creating database user credentials
When provisioning PostgreSQL, MySQL, or MongoDB users for applications, the database password should be a long random string with high entropy — not a human-chosen word. Generating a 32-character password with mixed character sets produces credentials that resist brute-force attacks. The password is stored in a secrets manager (AWS Secrets Manager, HashiCorp Vault) rather than memorized.
Generating API keys and service secrets
Internal service-to-service API keys, webhook secrets for GitHub or Stripe, and signing secrets for HMAC-based tokens need to be long random strings with sufficient entropy. Generating a 64-character alphanumeric password provides ~380 bits of entropy — far beyond what brute-force or collision attacks can practically target for a shared secret.
Setting initial user passwords for account provisioning
When IT teams provision new employee accounts in Active Directory, Okta, or a custom identity service, they generate a temporary initial password to provide alongside the username. The generated password must meet complexity requirements (mixed case, digits, symbols) and be long enough to be reasonably secure before the user changes it at first login.
Creating encryption passphrases for backups
GPG-encrypted backups, VeraCrypt volumes, and age-encrypted files require a passphrase. For automated backups where a human does not need to type the passphrase interactively, a 40+ character random string (stored in a secrets manager) is more secure than a human-memorable phrase. Generating and immediately storing the passphrase without human memorization is the correct workflow.
Password Security Tips
- Use at least 16 characters for sensitive accounts
- Enable symbols (!@#) for maximum entropy
- Never reuse passwords across different services
- Store passwords in a password manager, not in plain text
How it works
- Uses
crypto.getRandomValues()— a cryptographically secure random number generator - Passwords are generated entirely in your browser and never sent anywhere
- Each character is selected uniformly from the chosen character set