Are these passwords cryptographically random?

Yes. We use crypto.getRandomValues with rejection sampling, which removes the modulo bias that naïve random generators suffer from, so every allowed character is equally likely.

What does “exclude ambiguous characters” do?

It removes characters that are easy to confuse when typed or read aloud — capital I, lowercase l, the digit 1, capital O, the digit 0, and lowercase o.

How is strength measured?

We estimate Shannon entropy in bits as length × log2(pool size). Roughly: under 28 bits is very weak, 60–127 bits is strong, and 128+ bits is very strong.

How long should my password be?

For everyday accounts, 16 characters is a solid minimum; for important or sensitive accounts, aim for 20 or more. Length matters more than complexity — a longer password is exponentially harder to crack than a short one with a few extra symbols.

Is it safe to generate passwords on a website?

With this tool, yes. The password is created on your own device by your browser’s cryptographic engine and is never sent over the network. For maximum safety, copy it straight into a password manager and avoid generating passwords on a shared or public computer.

Does the same password ever get generated twice?

It is astronomically unlikely. With a large character pool and a reasonable length, the number of possible passwords is so vast that practical collisions never occur. Each click draws fresh random values independently.

Does the generator work offline?

Yes. Once the page has loaded, generation runs entirely in your browser, so you can disconnect from the internet and keep creating passwords with no loss of security.

Password Generator

Generate strong, random passwords locally — nothing is ever sent to a server.

ToolFlux's Password Generator creates strong, truly random passwords in your browser using the cryptographically secure Web Crypto API — nothing is uploaded, logged or stored, so the password is yours alone.

Passwords are generated on your device with the Web Crypto API — nothing is uploaded.

—

Generate strong, secure passwords in your browser

Weak and reused passwords are the single most common cause of account takeovers. This free password generator creates long, unpredictable passwords using your browser’s built-in cryptographic random number generator — the same kind of randomness used to secure HTTPS connections. Because everything happens locally, the password you generate is never transmitted over the network and never stored anywhere.

How to generate a password

Choose a length Set the length slider — 16 characters or more is recommended for important accounts.
Pick character types Choose which to include: uppercase, lowercase, digits, and symbols.
Exclude ambiguous characters Optionally exclude ambiguous characters if you will type the password by hand.
Generate the password Click Generate password. A fresh password appears instantly.
Copy and store it Press Copy, then paste it into your password manager.

Tips for strong passwords

Length beats complexity. A longer password is harder to crack than a short one with lots of symbols.
Use a unique password per site. If one service is breached, the others stay safe.
Store them in a password manager. You should not need to memorise random passwords.
Enable two-factor authentication wherever it is offered for an extra layer of protection.

How the strength meter works

The meter estimates entropy in bits — a measure of how many guesses an attacker would need. It multiplies the password length by the base-2 logarithm of the size of the character pool you selected. More character types and greater length both increase entropy. As a rule of thumb, aim for at least 60 bits for everyday accounts and 128 bits or more for anything highly sensitive.

Frequently asked questions

Are the generated passwords sent to a server?: Never. Passwords are generated locally in your browser using the cryptographically secure Web Crypto API. Nothing is transmitted, logged, or stored.
Are these passwords cryptographically random?: Yes. We use crypto.getRandomValues with rejection sampling, which removes the modulo bias that naïve random generators suffer from, so every allowed character is equally likely.
What does “exclude ambiguous characters” do?: It removes characters that are easy to confuse when typed or read aloud — capital I, lowercase l, the digit 1, capital O, the digit 0, and lowercase o.
How is strength measured?: We estimate Shannon entropy in bits as length × log2(pool size). Roughly: under 28 bits is very weak, 60–127 bits is strong, and 128+ bits is very strong.
How long should my password be?: For everyday accounts, 16 characters is a solid minimum; for important or sensitive accounts, aim for 20 or more. Length matters more than complexity — a longer password is exponentially harder to crack than a short one with a few extra symbols.
Is it safe to generate passwords on a website?: With this tool, yes. The password is created on your own device by your browser’s cryptographic engine and is never sent over the network. For maximum safety, copy it straight into a password manager and avoid generating passwords on a shared or public computer.
Does the same password ever get generated twice?: It is astronomically unlikely. With a large character pool and a reasonable length, the number of possible passwords is so vast that practical collisions never occur. Each click draws fresh random values independently.
Does the generator work offline?: Yes. Once the page has loaded, generation runs entirely in your browser, so you can disconnect from the internet and keep creating passwords with no loss of security.