Generate strong, random passwords and passphrases β runs entirely in your browser using crypto.getRandomValues().
Dmyt@Ez,L$Rej9SKiqJm
crypto.getRandomValues() β uses your OS's cryptographic random number generator. Nothing is sent to a server.
Entropy guide: 40 bits = weak, 60 = fair, 80+ = strong, 128+ = excellent for most uses.
Passphrases are easier to remember and type. A 5-word passphrase has ~33 bits per word (~165 bits total).
Entropy β the number of equally likely possibilities an attacker must try β and length is its biggest lever. Each character drawn from a 94-symbol pool adds about 6.5 bits, so a random 20-character password (~130 bits) is astronomically harder to crack than a 'complex' 8-character one (~52 bits). Longer beats clever every time: P@ssw0rd! satisfies every complexity rule and falls to a dictionary attack in seconds because humans, not randomness, chose it.
Pick random-password or passphrase mode. Passwords range from 4 to 128 characters with toggles for uppercase, lowercase, numbers, symbols, and an option to exclude ambiguous characters like l, I, 1, O, and 0 that get misread when typed from paper. Passphrases combine 3 to 8 dictionary words with your chosen separator, optional capitalization, and an optional number. A live meter shows the entropy in bits, and a session history keeps your last ten results for easy copying.
Only if generation happens client-side β and here it does. Every password comes from crypto.getRandomValues(), the browser API backed by your operating system's cryptographically secure random number generator. Nothing is sent over the network, no analytics see the output, and history lives only in memory until you close the tab. You can verify this yourself: open your browser's developer tools, watch the Network tab, and generate β no requests fire.
Use long random passwords for anything a password manager fills in for you β you never type them, so unreadability costs nothing. Use passphrases where you must type by hand: disk encryption prompts, OS logins, the manager's own master password, or Wi-Fi keys you read out to guests. A 5-word passphrase with a number reaches about 42 bits with this tool's wordlist, and far more with larger lists like EFF's 7,776-word diceware set.
For random passwords it is length times log2 of the pool size: all four character sets give a pool of 88 symbols here, so each character contributes about 6.5 bits. For passphrases it is words times log2 of the wordlist size β what matters is that the words are chosen randomly, not that they are obscure. The meter labels under 40 bits weak, 60+ fair, 80+ strong, and 120+ excellent for long-term secrets.
openssl rand -base64 24 gives a 32-character random string, and tr -dc 'A-Za-z0-9!@#$%' < /dev/urandom | head -c 20 lets you control the character set exactly. For passphrases, shuf -n 5 /usr/share/dict/words joins five random dictionary words. Avoid $RANDOM in shell scripts β it is seeded predictably and tops out at 15 bits, fine for picking a test port but never for credentials.
Forced 90-day rotation makes passwords weaker β users respond with Password1, Password2 β which is why NIST SP 800-63B now recommends changing passwords only after suspected compromise, and dropping arbitrary complexity rules in favor of length. The other persistent myth is that a strong password protects you everywhere: reuse is the real killer, since one breached site feeds credential-stuffing attacks against every other account. Unique random password per site, stored in a manager.