Password Generator
Generate strong passwords instantly. Uses Web Crypto API. 100% client-side.
Why Strong Passwords Matter
Weak passwords are the #1 cause of account breaches. This generator uses the Web Crypto API (crypto.getRandomValues) — the same cryptographic random number generator used by banks and security software.
Password vs Passphrase
Passphrases (random words joined together) are easier to remember and often stronger than short complex passwords. A 4-word passphrase has roughly 50+ bits of entropy.
Frequently Asked Questions
How does this generator create random passwords?
It uses the Web Crypto API function crypto.getRandomValues(), which provides cryptographically secure random numbers. This is the same random number generator used by banks, VPNs, and security software. Unlike Math.random(), which is predictable, Web Crypto randomness cannot be guessed or reproduced.
Is a longer password always more secure?
Length is the single most important factor in password strength. Each additional character multiplies the number of possible combinations exponentially. A 12-character password with mixed characters has about 72 bits of entropy, while a 20-character password has about 120 bits — making it billions of times harder to crack.
Should I use a password or a passphrase?
Passphrases (random words joined together like "correct-horse-battery-staple") are easier to remember and often stronger than short complex passwords. A 4-word passphrase has about 50 bits of entropy, equivalent to a 10-character random password. For maximum security, use a 5-6 word passphrase.
Is it safe to generate passwords in a browser?
Yes, when the generator uses Web Crypto API and runs client-side. This tool never sends your passwords to any server. The generated passwords exist only in your browser memory until you close the page. We recommend using a password manager to store generated passwords securely.
How This Password Generator Works
This tool uses crypto.getRandomValues() — the Web Crypto API built into every modern browser. This is the same cryptographic random number generator used for TLS connections and browser security operations. Every character is selected with equal probability from your chosen character set, ensuring maximum entropy with no predictable patterns.
Unlike pseudo-random generators seeded by time or mouse movement, crypto.getRandomValues() draws from the operating system's entropy pool (hardware events, CPU timing, network activity). The generated password is never transmitted anywhere — not to ToolPry's servers, not to any analytics service. You can verify this by opening the browser's network inspector before clicking Generate: no requests will appear.
Choosing the Right Password Length
A 16-character password using uppercase, lowercase, digits, and symbols has approximately 105 bits of entropy — far beyond what any foreseeable brute-force attack can crack. For most accounts stored in a password manager, 16 characters is the recommended minimum. For high-value accounts like email, banking, or your password manager master password, use 20 characters or a Diceware passphrase of 5–6 randomly selected words.
Read our in-depth guide: How Strong Is My Password? Entropy, Crack Times Explained.
Frequently Asked Questions
Are the passwords generated here truly random?
Yes. The Web Crypto API's getRandomValues() produces cryptographically secure random numbers, meaning they are statistically indistinguishable from true randomness and cannot be predicted even with knowledge of previous outputs.
Should I use a password manager?
Yes. A password manager lets you use a unique random password for every site without memorising them. Generate passwords here, then store them in Bitwarden (free, open-source), 1Password, or your browser's built-in manager. The only password you need to memorise is your manager's master password — make that one a Diceware passphrase.
Why does the site ask me to enable symbols?
Symbols expand the character set from 62 (letters + digits) to approximately 94 printable ASCII characters. This adds about 6 bits of entropy to each character position — equivalent to adding roughly one extra character at the same length. Many sites restrict which symbols are allowed, so the option to enable or disable them lets you match the site's requirements.