Strong Password Generator — Random or Passphrase, No Ambiguous Characters, Free

This free strong password generator creates random passwords or easy-to-remember passphrases using your browser's cryptographically secure random number generator (crypto.getRandomValues) — no Math.random, no bias. Choose length, character types (uppercase, lowercase, digits, symbols), exclude look-alike characters (0/O, l/1), guarantee at least one of each selected type, and generate several at once. A passphrase mode strings multiple words together for a strong yet memorable password. Estimated entropy and crack time give you a sense of strength. Everything runs 100% in your browser — nothing is uploaded, stored, or logged.

How to use

1. Select a mode: Random Password (character string) or Passphrase (word sequence).
2. For random mode: set the length, choose character types, and optionally exclude ambiguous characters (0/O, l/1) or require at least one of each type.
3. For passphrase mode: set the word count, separator, capitalization, and whether to add a number.
4. Set how many passwords to generate, then click Generate (or let settings changes auto-regenerate).
5. Copy individual results with the Copy button, or copy all at once with Copy All.
6. No install, no account — runs entirely in your browser. Results are not sent anywhere.

What makes a strong password?

A strong password is hard to guess by brute force or dictionary attack. These are the key factors:

Length and character variety

Length is the single most important factor — a long password beats a short complex one. Use at least 12–16 characters. Mixing uppercase, lowercase, digits, and symbols multiplies the number of possible combinations (the pool size), making each extra character exponentially harder to crack.

Avoiding ambiguous characters (0/O, l/1)

Characters like O (letter) vs 0 (zero), l (lowercase L) vs 1 (one) vs I (uppercase i), B vs 8, S vs 5 look nearly identical in many fonts. Excluding them makes passwords safe to handwrite, read aloud, or share via OCR. The pool shrinks slightly, so add a little length to compensate.

Estimated entropy (bits) — what it means

Entropy measures the number of possible passwords your settings could produce: entropy = length × log₂(pool size). Higher bits = harder to guess. As a rule of thumb, 80+ bits is considered practically strong for most use cases. The displayed value is a theoretical estimate based on your settings — it assumes the attacker knows the pool but not the password.

Passphrases — strong and memorable

A passphrase combines multiple random words into a single credential: for example Apple-River-7-Tiger. They're easier to remember than a random string of characters yet can be very strong when using enough words.

How passphrases work

Words are picked at random from a built-in dictionary. With 4 words from a 2000-word dictionary, there are 2000⁴ ≈ 16 trillion possible combinations (about 44 bits). The separator, capitalization, and added digit increase entropy further. More words = stronger passphrase.

When to use a passphrase vs a random password

Use a passphrase for passwords you need to type or remember (e.g., a master password or disk encryption key). Use a random password for everything else — especially stored in a password manager, where memorability doesn't matter.

Key features

Cryptographically secure randomness (no Math.random)

Uses the browser's built-in CSPRNG (crypto.getRandomValues) and removes modulo bias using rejection sampling — every character in the pool has an exactly equal chance of appearing. Not just random, but uniformly random.

Guarantee at least one of each selected character type

When enabled, the generator picks one character from each selected type first, then fills the rest randomly, then shuffles the whole result with Fisher–Yates. This ensures a site requirement like 'must include at least one uppercase, one digit, and one symbol' is always met.

Exclude look-alike characters

Toggle to remove 0/O, l/1/I, B/8, S/5 and similar pairs from the pool. Useful when you'll write or read the password aloud. Slightly reduces the pool, so consider adding length.

Passphrase generation

Pick words, separator, capitalization, and whether to include a digit. Words come from a built-in dictionary included at build time — no external request.

Strength (entropy) visualization

Entropy is calculated from your settings in real time and displayed as bits along with a label (Very Weak to Very Strong) and an estimated crack time assuming 10 billion guesses per second. This is a theoretical estimate — not a guarantee.

Generate multiple passwords at once

Set the count slider to produce up to 20 passwords in one click. Copy each one individually or copy all at once (newline-separated). Regenerate instantly with the Regenerate button.

Private — nothing is uploaded or stored

All generation runs in your browser using your device's CPU and CSPRNG. No network request is made. No history is stored in localStorage or anywhere else. Refreshing the page clears all results.

Use cases

Notes & limitations

• Strength display is an estimate — not a guarantee. Real-world security depends on the attacker's resources, leaks, reuse, and phishing, all of which this tool cannot predict.
• Never reuse passwords across sites. A single breach can expose all accounts that share the same password.
• This tool does not store results. Once you close or refresh the page, passwords are gone. Use a password manager to keep them safe.
• Excluding ambiguous characters slightly reduces the pool size and thus entropy. Add extra length to compensate if needed.
• Passphrase words are in English. The strength is the same regardless of your language, but memorability is best for English speakers.
• If the browser doesn't support crypto.getRandomValues (extremely old browsers), generation is blocked entirely. We never fall back to Math.random.

Frequently asked questions

Is the password generated securely?

Yes. We use the browser's built-in cryptographic random number generator (crypto.getRandomValues), not Math.random. We also apply rejection sampling to eliminate modulo bias, so every character in the pool has an exactly equal probability of appearing.

Is my generated password sent to a server or stored anywhere?

No. Everything runs locally in your browser. No network request is made, nothing is stored in localStorage or cookies, and the results disappear when you close or refresh the page.

Can I generate a passphrase — something easier to remember?

Yes. Switch to Passphrase mode to combine multiple random words with your chosen separator (e.g., Apple-River-7-Tiger). Passphrases are easier to remember and can be very strong with enough words.

Can I make a password that meets site requirements (uppercase, digit, symbol)?

Yes. Select the character types you need and enable 'Require at least one of each selected type'. The generator guarantees each selected type appears at least once.

Can I avoid confusing characters like 0 and O, or l and 1?

Yes. Toggle 'Exclude ambiguous characters' to remove look-alike pairs (0/O, l/1/I, B/8 and more) from the pool. Great for passwords you'll write by hand or read aloud.

How long and how strong should my password be?

As a rule of thumb, aim for 12–16 characters or more and at least 80 bits of entropy. For most accounts stored in a password manager, a 20-character random password or a 5-word passphrase is excellent. Remember: these are estimates, not guarantees.

Can I generate passwords for multiple accounts at once?

Yes. Adjust the count slider to create up to 20 passwords at once. Use 'Copy All' to get them all in one go (newline-separated). Give each account its own unique password.

How should I store my generated passwords?

Use a password manager. Strong passwords are useless if written on a sticky note or reused. A password manager encrypts and auto-fills them for you. See the related tools section for options.