Password Generator

Weak passwords remain the leading cause of account breaches. Humans are poor at creating truly random strings — we tend toward dictionary words, predictable substitutions (@ for a, 3 for e), and patterns that attackers' dictionaries already include.

This generator uses the Web Crypto API (crypto.getRandomValues), the same cryptographic source used by password managers and banking applications, to produce passwords with genuine randomness. Choose your length, toggle character sets (uppercase, lowercase, digits, symbols), and exclude ambiguous characters (0/O, l/1/I) for readability.

When you actually need this: setting up a new email account where a compromise cascades into other services through password reset links; spinning up a database or server admin user that must resist offline cracking attempts; generating a shared Wi-Fi password that's strong enough to deter brute-force attempts yet memorable enough to share at a meeting. Each of these has slightly different requirements — for Wi-Fi you might drop symbols; for database credentials you probably want to keep them; for email you should go 16+ characters either way.

Under the hood, crypto.getRandomValues fills a typed array with bytes drawn from the operating system's hardware entropy pool (e.g., /dev/urandom on Linux, BCryptGenRandom on Windows, SecRandomCopyBytes on macOS). Each byte is mapped into the selected character set using rejection sampling to avoid modulo bias, so every character is exactly equally likely within the chosen alphabet. An entropy-bits estimate under the length slider tells you roughly how many tries an attacker would need: 16 characters from the full 94-symbol printable ASCII set is 16 × log2(94) ≈ 105 bits, which is overkill for any online account subject to rate-limiting and still strong against offline GPU cracking.

Compared to coming up with 'Tr0ub4dor&3'-style personal favorites, a machine-generated random string is both stronger and faster to produce — and because each generated password exists only in your browser and is never transmitted, stored, or logged anywhere, you can generate a fresh one for every site without worrying about where the strings live in transit. If you then need to store the password hashed rather than in plaintext, a create MD5 or SHA-512 checksums tool handles that transformation locally, and you can encode special characters for URLs if the password needs to ride in a query string.