Password Generator
Strong random passwords or XKCD-style passphrases. Crypto-secure, ambiguous-char exclusion, entropy meter.
published
- [FREE]
- [NO_SIGNUP]
- [NO_UPLOAD]
A password generator produces cryptographically random passwords, XKCD-style passphrases, or memorable sentence passwords in your browser. The generator uses crypto.getRandomValues (browser-native CSPRNG); nothing about the password ever leaves the page.
Password vs passphrase vs sentence
| Password | Passphrase | Sentence | |
|---|---|---|---|
| Example | Tk@9bQ#xLm2v | brave-cedar-meteor-violet | BlueFoxJumps42River |
| Length | 12-20 typical | 4-6 words | fixed 5-part grammar |
| Entropy at default | ~75 bits | ~30-40 bits | ~34 bits |
| Memorable? | no | yes | yes — story-like |
| Typeable on mobile? | painful | easy | easy |
| Best for | password manager auto-fill | manual entry (TV login, master password) | low-stakes accounts paired with 2FA |
Entropy targets
- < 36 bits: weak. Crackable offline in hours.
- 36-60 bits: reasonable. OK with rate-limiting.
- 60-80 bits: strong. Safe against offline attacks for years.
- 80-128 bits: very strong. Default for cryptographic keys.
- > 128 bits: very strong. Used for long-term secrets.
The meter shows what your settings achieve.
Privacy
Generated locally via crypto.getRandomValues. No upload, no analytics, no storage. Don’t paste output into “password strength checker” sites — they defeat the privacy.
Related tools
- Hash Generator — fingerprint files, not passwords.
- Base64 Encoder — when you need URL-safe random bytes.
- UUID Generator — for non-password random IDs.
Frequently asked questions
Is this generator cryptographically secure?
Yes. All randomness comes from crypto.getRandomValues — the browser-native CSPRNG. Same source WebCrypto uses. Math.random is never touched.
Why a passphrase mode?
XKCD-style passphrases (4-6 random words separated by hyphens) often have more entropy than a typical 12-char password and are far easier for humans to remember and type. correct-horse-battery-staple is ~44 bits; a strong human-typeable equivalent is rare.
What does the entropy meter measure?
log2(alphabetSize) × length for character passwords, log2(wordSpace ^ wordCount) for passphrases. Above 60 bits is strong; above 80 is excellent. Below 36 is weak.
Should I paste my generated password into a strength checker site?
No. That defeats the privacy story — you would be sending your password to a third party. The entropy meter here is computed locally and is accurate by construction.
Is the passphrase word list secure?
It is a curated list of ~200 short common words. Adequate for personal passphrases. For high-security applications (Bitcoin BIP39 seeds, etc) use the official lists — those have specific cryptographic properties.
What is sentence mode?
A new mode that builds a memorable phrase from a fixed grammar: Adjective + Noun + Verb + 2-digit number + Noun (e.g. "BlueFoxJumps42River"). Easier to recall than random words, with ~34 bits of entropy at default — fine for low-stakes accounts paired with a password manager or 2FA, not for master passwords.
Does this store any of my passwords?
No. Generated locally, never sent anywhere, never stored. Use a real password manager for storage.
Is the password generator really free?
Yes. No signup, no account, no ads, no telemetry.