Tools › Developer Tools › Password Generator

Password Generator

Generate a cryptographically secure password in your browser. Set length, choose character types, and copy — no account, no server, nothing stored.

Generated in your browser using the Web Crypto API. Nothing leaves this page.

Length: 16 characters

Uppercase (A–Z) Lowercase (a–z) Digits (0–9) Symbols (!@#$%^&*…) Exclude similar characters (0, O, l, 1, I)

Strong 77 bits

About Password Generator

Password Generator is a free, browser-only tool that creates cryptographically secure random passwords. Every password is generated using window.crypto.getRandomValues() — the Web Crypto API built into all modern browsers. Unlike Math.random(), which is a deterministic pseudo-random function unsuitable for security use, the Web Crypto API draws from your operating system's entropy pool (hardware noise, interrupt timing, and similar sources). The result is statistically indistinguishable from true randomness and safe for use in real credentials.

Understanding entropy

Entropy measures how many bits of information an attacker would need to guess your password by exhaustive search. The formula is: entropy (bits) = log₂(charset size) × length. A password 16 characters long drawn from all printable ASCII (94 characters) has log₂(94) × 16 ≈ 104 bits of entropy. An attacker trying 10¹² guesses per second would need, on average, more than 10¹³ years to crack it.

Why character set design matters

Adding symbols to an uppercase-and-lowercase password at length 16 raises entropy from roughly 95 bits (52-char set) to 104 bits (94-char set). The "Exclude similar characters" option removes 0/O/l/1/I from the pool. This costs a few bits of entropy but prevents transcription errors when a password must be read aloud or typed from a printed sheet. For most digital uses — paste from clipboard into a password manager — leave the option off and keep the full character set.

NIST SP 800-63B guidance

NIST's digital identity guidelines recommend prioritising length over complexity rules, allowing all printable ASCII characters, permitting passwords up to at least 64 characters, and not requiring periodic rotation unless compromise is suspected. This tool follows that spirit: the slider defaults to 16 characters and all character classes are enabled so the entropy meter starts in the "Strong" range.

How to use generated passwords safely

Copy the generated password directly into a password manager (Bitwarden, 1Password, KeePass, or similar). Never store passwords in a plain-text file, email, or note-taking app. Do not reuse passwords across services — each account should have a unique credential. If you generate a password for a team secret, share it through a secrets manager, not through Slack or email.

Use cases

Seed new developer accounts and service credentials with a unique, high-entropy password.
Generate a shared secret for team access to a staging environment or internal tool.
Create a strong placeholder for an API key slot while the real key is being provisioned.
Set a secure local admin password for a new server, workstation, or router.
Get a throwaway password for a single-use account registration before the real credential is set.

Frequently asked questions

Is this tool safe to use?

Yes. Every password is generated entirely in your browser using the Web Crypto API (window.crypto.getRandomValues). No data is sent to any server, logged, or stored. You can verify this by checking the page source or watching network traffic — the generate button triggers no outgoing requests.

What makes a password "strong"?

Strength comes from two factors: character-set size and length. A password drawn from a 94-character set (all printable ASCII) at 16 characters has over 100 bits of entropy — far beyond what any brute-force attack can reach in practice. NIST SP 800-63B recommends prioritising length over complexity. Aim for at least 80 bits of entropy, shown as "Strong" or "Very Strong" in the meter.

How is the randomness generated?

This tool uses window.crypto.getRandomValues() — the same cryptographically secure pseudo-random number generator (CSPRNG) used by browsers for TLS key generation. It is seeded by the operating system entropy pool and is suitable for security-critical applications. It is categorically different from Math.random(), which is not cryptographically secure and must never be used for passwords.

Does AT USE store my password?

No. The password is generated and displayed entirely within your browser tab. Nothing is sent to AT USE servers. The page makes no network requests during password generation. Once you close or reload the tab, the password is gone.

What is the difference between entropy and length?

Length is the number of characters. Entropy (measured in bits) combines length with character-set size: entropy = log2(charset size) × length. A 12-character password from a 26-character lowercase alphabet has about 56 bits of entropy. The same 12 characters from a 94-character full ASCII set yields about 79 bits. Both length and character diversity matter — the entropy meter shows the combined effect in a single number.

Related Tools

Live Developer Tools

JWT Decoder

Decode any JWT instantly — inspect header, payload, and expiry timestamps without a signing key.

Open tool

Live Developer Tools

Color Picker

Pick any color and instantly get the HEX, RGB, and HSL code. Copy any format in one click.

Open tool

Live Developer Tools

Barcode Generator

Generate standard barcodes (Code 128, EAN-13, QR) from any text or number. Download as PNG or SVG.

Open tool

Live Developer Tools

QR Code Generator

Generate QR codes for URLs, text, WiFi networks, or vCards. Download as PNG. No account needed.

Open tool