Password Generator Online — Free Secure Password, Passphrase & PIN Generator

How to Password Generator Online

1. 1

   Choose your generation mode — Random Password, Passphrase, or PIN — using the mode tabs at the top of the left panel.

2. 2

   For random passwords: set the length using the slider (4–128 characters) and toggle character sets — uppercase (A-Z), lowercase (a-z), digits (0-9), and symbols (!@#$%). Enable 'Exclude ambiguous' to remove confusing characters like 0/O and 1/l/I.

3. 3

   For passphrases: set the word count (3–10 words), choose a separator (hyphen, space, period, etc.), and optionally add a random number or symbol for extra entropy. Words are drawn from the EFF Diceware wordlist.

4. 4

   Click Generate or press ⌘↵ to create your password. A new password is also generated automatically whenever you change settings.

5. 5

   Review the strength analysis on the right: entropy bits, crack time estimates across 5 attack scenarios, and compliance badges for NIST 800-63B, OWASP, and PCI-DSS standards.

6. 6

   Use the Presets button for application-specific passwords — Wi-Fi WPA2, API keys, JWT secrets, database passwords, SSH passphrases, encryption keys, TOTP secrets, and backup codes.

7. 7

   Copy the password with the Copy button or ⌘⇧C. Use Bulk mode (⌘⇧B) to generate up to 100 passwords at once.

Password Generator Features

• ✓

  Cryptographically secure randomness: all passwords generated using crypto.getRandomValues() — never Math.random(). Zero modulo bias via rejection sampling.

• ✓

  Three generation modes: Random Password (configurable character sets), Passphrase (Diceware EFF wordlist), and PIN (numeric codes).

• ✓

  Configurable length from 4 to 128 characters with a visual slider and direct numeric input.

• ✓

  Character set toggles: uppercase A-Z, lowercase a-z, digits 0-9, and configurable symbols set. At least one set must be active.

• ✓

  Exclude ambiguous characters (0/O, 1/l/I) to avoid transcription errors when sharing passwords verbally or in print.

• ✓

  Must-include-all option: guarantees the password contains at least one character from every active set.

• ✓

  No repeating characters option: ensures each character appears at most once in the password.

• ✓

  Begin with letter option: forces the first character to be a letter — useful for systems that require alphabetic-start passwords.

• ✓

  Diceware passphrase generation using the EFF Long Wordlist (7,776 words). Configurable word count, separator, capitalization, and optional number/symbol augmentation.

• ✓

  10 application-specific presets: Wi-Fi WPA2, API Key, SSH Passphrase, Database Password, JWT Secret, Encryption Key (256-bit), TOTP Secret (Base32), Backup Codes, Username, and Memorable Password.

• ✓

  Real-time entropy analysis: calculates bits of entropy using log₂(pool_size^length) for character-based passwords and log₂(wordlist_size^word_count) for passphrases.

• ✓

  Crack time estimates across 5 attack scenarios: online throttled (100/hour), online unthrottled (10/sec), offline slow hash like bcrypt (10K/sec), offline fast hash like MD5 (10B/sec), and massive GPU cluster (1T/sec).

• ✓

  Compliance checking: validates against NIST 800-63B, OWASP password requirements, and PCI-DSS standards with pass/fail badges.

• ✓

  Strength rating scale: Very Weak, Weak, Fair, Strong, Very Strong, Excellent — based on entropy thresholds with color-coded visual meter.

• ✓

  Bulk generation: create up to 100 passwords at once with per-row copy buttons and Copy All functionality.

• ✓

  Per-character color coding: uppercase (blue), lowercase (white), digits (green), symbols (amber) for visual verification.

• ✓

  Works entirely in your browser — no passwords are ever sent to any server. Zero network requests during generation. Your passwords stay completely private.

• ✓

  Keyboard shortcuts for power users: ⌘↵ to generate, ⌘⇧R for random, ⌘⇧P for passphrase, ⌘⇧B for bulk, ⌘⇧C to copy.

Frequently Asked Questions

Is this password generator safe to use?

Yes. All passwords are generated entirely in your browser using the Web Crypto API (crypto.getRandomValues()), which provides cryptographically secure pseudo-random numbers. No passwords are ever transmitted to a server, stored, or logged. The source code is open and auditable. This is the same random number generator used by password managers like 1Password and Bitwarden.

Is this password generator free?

Yes, completely free with no usage limits. All password generation, strength analysis, and bulk generation runs directly in your browser — no account, subscription, or signup required.

How long should my password be?

For random character passwords: at least 16 characters with mixed character types for general use, 20+ for high-security accounts, and 32+ for cryptographic secrets like API keys. For passphrases: at least 4 words (about 51 bits of entropy with the EFF wordlist). The strength meter and crack time estimates help you make informed decisions based on your specific threat model.

What is entropy in password strength?

Entropy measures the unpredictability of a password in bits. Higher entropy means the password is harder to guess. For character-based passwords, entropy = length × log₂(pool_size). A 16-character password using uppercase, lowercase, digits, and symbols (95-character pool) has about 105 bits of entropy. For passphrases, entropy = word_count × log₂(wordlist_size). A 4-word passphrase from a 7,776-word list has about 51 bits.

What is a passphrase and why is it better?

A passphrase is a password made of random words (e.g., 'Correct-Horse-Battery-Staple'). Passphrases are generally better than short random passwords because they are easier to remember while providing high entropy. A 5-word passphrase from the EFF wordlist (~64 bits) is more memorable than a random 10-character password (~66 bits) with similar security. The Diceware method used here ensures words are selected with true randomness, not human bias.

What is the EFF Diceware wordlist?

The EFF (Electronic Frontier Foundation) Long Wordlist contains 7,776 common English words, each between 3 and 9 characters. It was designed specifically for generating Diceware passphrases with optimal memorability. Each word adds log₂(7776) ≈ 12.9 bits of entropy. The list avoids offensive words, homophones, and easily confused words. It is the most widely recommended wordlist for passphrase generation.

What do the crack time estimates mean?

Crack times estimate how long it would take an attacker to try every possible password using different attack methods. Online Throttled (100/hour) simulates rate-limited login pages. Online Unthrottled (10/sec) simulates an API without rate limiting. Offline Slow (10K/sec) simulates cracking bcrypt/Argon2 hashes. Offline Fast (10B/sec) simulates cracking unsalted MD5/SHA hashes. Massive GPU (1T/sec) simulates a state-level attacker with massive hardware. The estimate shows the average (50th percentile) crack time.

What is NIST 800-63B compliance?

NIST Special Publication 800-63B is the U.S. government standard for digital identity authentication. For passwords, it requires: minimum 8 characters (or 6 for PINs), no composition rules (all character types must be allowed), no truncation of passwords, screening against known breached passwords, and no mandatory periodic password changes. This tool checks the length and composition requirements.

Should I exclude ambiguous characters?

Enable 'Exclude ambiguous' when you need to share a password verbally, write it down, or type it on an unfamiliar keyboard. It removes characters that look similar: 0 (zero) and O (letter), 1 (one) and l (lowercase L) and I (uppercase i). This slightly reduces entropy but significantly reduces transcription errors. For passwords stored in a password manager, leave it disabled for maximum entropy.

What are the application presets?

Presets configure the generator for specific use cases with optimal settings. Wi-Fi WPA2 generates the maximum 63-character key. API Key creates URL-safe 32-character tokens. JWT Secret generates 64-character Base64-safe strings for HMAC signing. Database Password avoids characters that cause escaping issues in connection strings. Encryption Key produces 64 hex characters (256 bits). Each preset includes a use case description.

Can I generate multiple passwords at once?

Yes. Click the Bulk button or press ⌘⇧B to generate up to 100 passwords at once. Each password in the list has its own copy button, and you can copy all passwords at once separated by newlines. Bulk mode uses the same settings as single generation.

Does it work offline?

Yes. All generation logic and the EFF wordlist are bundled with the page as JavaScript. Once the page has loaded, the Password Generator works without an internet connection — no network requests are made during password generation.

Related Developer Tools

• Hash GeneratorGenerate and verify cryptographic hashes with multiple algorithms.
• UUID GeneratorGenerate, validate, and decode UUIDs, ULIDs, and Nano IDs instantly.
• Base64 Encode/DecodeEncode and decode Base64 strings, files, and data URIs instantly.
• JWT DecoderDecode, inspect, and validate JWT tokens with claim analysis.