§

Generation mode

§

Character settings

Drag to set the password length. Range: 4 to 128 characters.
Strips visually similar characters: 0, O, o, 1, l, I, |, and the backtick.
Range: 1 to 50. Each result has its own copy button; Copy all bundles them with newlines.
§

Output

    US security teams generate passwords under the NIST SP 800-63B framework, which deprecated mandatory complexity classes in favour of length and randomness, and which still anchors every FedRAMP, HIPAA, and PCI-DSS password policy review. UK organisations follow the parallel NCSC password guidance, which similarly favours length over symbol-classes and explicitly endorses passphrase-style credentials. This generator emits cryptographically random character strings or EFF-wordlist passphrases entirely through the browser Web Crypto API — never via `Math.random()`, never round-tripped to a server. Useful for one-off API tokens, service-account credentials, or 1Password / Bitwarden seed entries that should never appear in a browser history search.

    // Related Tools

    ./hash-generator
    Hash Generator
    Generate MD5, SHA-1, SHA-256, and SHA-512 digests in your browser.
    ./uuid-generator
    UUID Generator
    Generate RFC 4122 v4/v1 and RFC 9562 v7 UUIDs in your browser.
    ./jwt-decoder
    JWT Decoder
    Decode JSON Web Tokens and verify HS256/384/512 signatures.
    ./
    All Tools
    Browse the full set of Ultim8Soft online tools.

    What makes this password generator different?

    This is a privacy-first, browser-only password generator. Every random byte comes from your operating system's cryptographic random number generator via crypto.getRandomValues — never from Math.random. The page makes no network request to generate a password, and the generated value never leaves your tab. Open the Network panel in DevTools and click Generate: it stays silent.

    How does this password generator work?

    The tool runs entirely in JavaScript inside your browser. There is no server round-trip, no analytics beacon carrying the password, and no remote font request after the page loads.

    1. Seed from the OS CSPRNG. Every random integer is drawn from crypto.getRandomValues(new Uint32Array(n)) — the same cryptographically-secure source the browser uses for TLS key material and crypto.randomUUID. Math.random is intentionally never called; a project-wide grep enforces it.
    2. Charset assembly. Random-character mode concatenates the enabled character classes — uppercase, lowercase, digits, symbols — into a single alphabet. The 'Exclude ambiguous' toggle then strips visually similar glyphs (0, O, o, 1, l, I, |, backtick) so the password is unambiguous when read aloud or copied by hand.
    3. Unbiased index sampling. Mapping a 32-bit unsigned integer to a charset index naively (modulo) introduces a small bias when the charset size does not divide 2^32 evenly. The tool uses rejection sampling: any sample that falls in the modulo tail is discarded and re-drawn, so every character in the charset is equally likely.
    4. Bulk generation. For random-character mode you can request 1 to 50 passwords in a single click. Each result is rendered as a row with its own entropy estimate, strength bucket, and Copy button. The 'Copy all' button joins the rows with newlines so you can paste into a CSV or vault import file.
    5. Passphrase mode. Flip the mode toggle and the page lazily fetches the EFF Short Wordlist #1 (1296 public-domain English words) on first use. Five-word passphrases give about 51.7 bits of entropy — enough for everyday accounts and far more memorable than a 9-character random soup. After that one same-origin fetch, the page is silent again.

    Why use this password generator?

    • Your password never leaves your browser. There is no server endpoint, no analytics call carrying the value, no remote font, no telemetry. Open DevTools, generate a password, and watch the Network panel stay empty.
    • Cryptographically secure randomness, by construction. Every integer comes from crypto.getRandomValues, with rejection sampling against modulo bias. The most common bug in browser password generators — using Math.random for entropy — is structurally impossible here.
    • Two modes, one tool. Random-character mode produces high-entropy strings for password managers; passphrase mode produces human-memorable xkcd-style strings (correct-horse-battery-staple) backed by the EFF Short Wordlist #1. Same privacy model in both.
    • Transparent entropy. Each generated row shows its entropy in bits and a clear strength label, so you can see at a glance whether a 12-character no-symbol string is actually as strong as a 5-word passphrase. No marketing fluff, just the numbers.

    What are common applications of generated passwords?

    Whenever you need a fresh random secret, this is the tool that minimises the trust surface:

    • Password manager imports. Generate 50 strong passwords in one batch, click Copy all, paste into your vault's CSV import. The values never round-tripped through any server, so there is no leak window between generation and storage.
    • Master passphrases. Switch to passphrase mode, pick 6 or 7 words, optionally capitalize each word, and you have a high-entropy string you can actually remember without writing it down. About 62 bits of entropy from 6 words — well above the threshold for an offline attack.
    • API keys and tokens in side projects. Need a one-off shared secret for a webhook signing key or a development database password? Generate a 32-character symbol-rich string here, copy it once, and the only place it ever existed in transit was inside your own browser tab.

    What does a generated password example look like?

    Set length to 16, leave all four character classes enabled, and click Generate. The charset has 26 + 26 + 10 + 32 = 94 characters, so each generated character carries log2(94) ≈ 6.55 bits of entropy. Sixteen characters land at about 104.9 bits — well above the 80-bit 'very strong' threshold and effectively impossible to brute-force with current hardware. Now flip to passphrase mode, pick 5 words with the default hyphen separator: cocktail-sprig-aspect-magenta-tonic carries log2(1296) x 5 ≈ 51.7 bits. Memorable, typeable, and stronger than the average human-chosen password.

    Generate, copy, move on. The page never sees a server, the password never leaves your tab, and the entropy is calculated from first principles. That's the whole promise.