Password Generator
This free password generator creates strong random passwords locally in your browser using cryptographic randomness, so no password is ever sent or stored anywhere.
103 bits of entropy · cracked in about 3.4 × 10^13 years (at 10 billion guesses per second)
••••••••••••••••
••••••••••••••••
••••••••••••••••
Examples
How to use
- 1
Choose a length with the slider: 16 characters is a solid default.
- 2
Tick the character sets to include: uppercase, lowercase, numbers, symbols.
- 3
Watch the strength meter update with the entropy and the estimated crack time.
- 4
Copy the password you like or hit Regenerate for a fresh batch.
What makes a password strong?
One number settles it: the entropy, counted in bits. The formula is short, length times log2 of the alphabet size. Tick all four character sets and this generator draws from 87 symbols (26 uppercase, 26 lowercase, 10 digits and 25 punctuation marks), worth 6.44 bits each. A 16-character password therefore carries about 103 bits, well past the 80 bits treated as out of reach for brute force.
Each extra bit doubles the work an attacker faces. That is why the meter jumps so hard when you drag the length slider: going from 8 to 16 characters does not double the strength, it grows the search space by roughly 3 × 10^15.
What does random really mean here?
The characters come from crypto.getRandomValues, the cryptographic generator built into every modern browser, not from Math.random, whose output can be predicted and has no place in a secret. The tool also strips the modulo bias that naive code adds when it maps random bytes onto an alphabet, so each of the 87 symbols turns up with the same probability.
Generation stays on your device. No password is sent, logged or stored, and a page reload wipes the batch. Each result also holds at least one character from every set you ticked, because plenty of sites reject a password that happens to miss a digit or a symbol.
Why does length beat complexity?
Stretching a password helps far more than sprinkling symbols into a short one. The table shows the time to try every combination at 10 billion guesses per second, a fair rate for one modern GPU against a fast hash.
| Length | Letters and digits (62 symbols) | All sets (87 symbols) |
|---|---|---|
| 8 | about 6 hours | about 4 days |
| 12 | about 10,000 years | about 600,000 years |
| 16 | 1.5 × 10^11 years | 3.4 × 10^13 years |
| 20 | 2.2 × 10^18 years | 2.0 × 10^21 years |
An 8-character password falls within hours or days whatever you mix in. Four more characters buy a factor of about 15 million on a 62-symbol alphabet. When a site caps the length, reach for complexity; everywhere else, add characters first.
Why use one password per account?
A strong password stops brute force, not a breach on a site where you reused it. Attackers take leaked email and password pairs and replay them elsewhere, an attack called credential stuffing that works no matter how strong the reused password was. Give each account its own password and let a manager remember them: the ones built into Chrome, Firefox, Safari, iOS and Android all handle this well. That leaves a single strong master passphrase to memorize.
Parameters
Every field of this tool can be prefilled from the URL. Use these query parameters:
| Parameter | Type | Default |
|---|---|---|
| length | number | 16 |
| uppercase | boolean | true |
| lowercase | boolean | true |
| numbers | boolean | true |
| symbols | boolean | true |
| count | number | 3 |
Example : https://www.veltotools.com/generator/password-generator?length=16
API
The same tool is available as a free JSON API, with the same parameters as above. No key, no sign-up.
Frequently asked questions
Updated Jul 17, 2026