Pick a style
A random password for fields you paste from a manager, or an EFF Diceware passphrase when you need to type or remember it. Both are built from real randomness, not a pattern.
Free Tool
Passwords worth trusting.
Generate strong random passwords and memorable passphrases, with a live strength read-out. It all runs in your browser, so nothing you create is ever sent to us.
Beyond the password
Strong, unique credentials as the default, not the exception.
20
8128
Generating...
Everything runs in your browser using the Web Crypto API (crypto.getRandomValues). Nothing you generate is sent anywhere or stored.
A strong password is step one, not the whole job.
We roll out password managers and multi-factor authentication across teams, so strong, unique credentials are the default rather than the exception.
How it works
Real randomness, in your browser.
True randomness
Every character or word is drawn from the browser's cryptographic generator (crypto.getRandomValues), with rejection sampling so there is no statistical bias toward any value.
Check, then store it properly
See the entropy and how long each class of attacker would take, then keep it in a password manager and never reuse it across sites.
FAQ
Questions about passwords.
Is this password generator safe to use?
Yes. It runs entirely in your browser and never sends what it generates anywhere. Randomness comes from the Web Crypto API (crypto.getRandomValues), the cryptographically secure generator browsers provide, not from Math.random which is predictable and unsuitable for secrets.
Random password or passphrase, which should I use?
Use a random password (long, mixed characters) for anything you store in a password manager and paste, which is most logins. Use a passphrase (several random words) when you have to type or memorise it, such as your device login, your password-manager master password, or Wi-Fi. A six-word EFF passphrase is roughly 77 bits of entropy, stronger than most random passwords people actually choose.
What is entropy and how much do I need?
Entropy, measured in bits, is how unpredictable the secret is. Each extra bit doubles the work to guess it. As a rough guide: under 40 bits is weak, 60-80 is reasonable for most accounts behind rate limiting, and 80 or more is strong even against an offline attacker with stolen password hashes. The meter shows the figure for each result.
Why exclude look-alike characters?
Characters like O and 0, or l and 1, are easy to misread when a password has to be typed or read aloud from a screen. Excluding them slightly reduces the character pool, which the entropy figure accounts for, in exchange for fewer transcription errors. Leave them in for passwords you only ever copy and paste.
Is a strong password enough on its own?
No. A strong, unique password is the baseline, but multi-factor authentication is what stops most account takeovers, and a password manager is what makes unique passwords practical across dozens of logins. We set both up for teams as part of managed IT and security.