NordVPN
SponsoredStrict no-logs VPN with 6,400+ servers in 111 countries. Threat Protection blocks ads, trackers, and malware while you work online.
Get NordVPN →Builds passwords using crypto.getRandomValues — the same source banks use, not Math.random. Adjust length and character classes; the entropy meter shows how strong the result actually is.
Most 'password generators' on the web use Math.random(), which is not cryptographically secure — its output can be predicted by an attacker who sees a few prior values. This generator uses crypto.getRandomValues from the Web Crypto API, the same primitive that backs HTTPS sessions and OS-level keychains. Each character is drawn from a uniform distribution over the selected alphabet.
The generation happens entirely in your browser. The password never travels over the network and never touches our servers. Even if our domain were compromised, an attacker would have nothing to steal because nothing is stored.
The strength label is computed from entropy: bits = log₂(alphabet_size) × length. A 10-character lowercase-only password has log₂(26) × 10 ≈ 47 bits — vulnerable to a determined offline attacker. A 16-character password using all four character classes has about 105 bits — strong enough for most uses. The bands are: <50 weak, 50-80 medium, 80-128 strong, ≥128 excellent.
These thresholds correspond roughly to: weak = guessable in days by a moderate attacker; medium = takes a botnet years; strong = no realistic attacker today; excellent = comfortable margin against future attackers including quantum considerations.
The math is unforgiving here: adding one character to your password roughly doubles the search space (depending on the alphabet). Adding one more character class only slightly enlarges it. A 20-character lowercase password has more entropy than a 12-character mixed-case-symbols password, and is easier to type. If you'd rather memorize, pick four random words from a 7000-word list — that's 51 bits, similar to a strong 8-character mixed password.
The 'avoid ambiguous' option excludes characters that look like other characters in many fonts (0/O, I/l/1). This makes the password slightly weaker but easier to read aloud or transcribe. Use it when you might need to type the password from a printed list.
Yes. We use the Web Crypto API's secure random source, not Math.random(). The browser-vendor-supplied implementation is audited and identical to what underlies HTTPS.
Never. Generation, entropy calculation, and copy-to-clipboard all happen locally. We don't have a server endpoint to receive it even if we wanted to.
For online accounts, yes — almost always. For password manager master passwords or encryption keys, go for 24+ characters or use a 6-word passphrase.
It only knows what character classes you enabled. If you enabled lowercase only, the alphabet is just 26 — long passwords are still strong but not as fast to grow.
It's the log₂ of the number of possible passwords your settings could produce. 80 bits ≈ 1.2 × 10²⁴ possibilities — far beyond brute-force reach today.
Yes when allowed. Each symbol roughly adds the entropy of a number plus a letter combined. Some old sites reject them; if so, increase length to compensate.
Use it only when you need to read or type the password manually. Keep it off for password managers — readability cost is wasted there.
Theoretically yes, but with even 50 bits of entropy the chance per pair of generations is 1 in 2⁵⁰ ≈ 10¹⁵. Practically impossible.
Strict no-logs VPN with 6,400+ servers in 111 countries. Threat Protection blocks ads, trackers, and malware while you work online.
Get NordVPN →Managed cloud hosting for WordPress and web apps on DigitalOcean, Vultr, and AWS. Fast setup, no server headaches.
Try Cloudways →Hire freelancers for design, writing, dev, and marketing — or sell your own services. Millions of gigs at every budget.
Browse Fiverr →