Skip to content
epitometool

Password generator

Generators

Strong random passwords with length and charset controls.

Updated

Mode

Quick presets

Options

  • GGenerate
  • CCopy all
Randomness comes from crypto.getRandomValues. Entropy shown is computed as length × log2(charset).

Quick start

How to generate a strong password

Pick a mode, tune the options, copy the result — all in your browser. Nothing is uploaded.

  1. Step 1
    Pick a mode or preset

    Random password for accounts your manager autofills, passphrase for things you have to type, PIN for device locks, or use a preset for a sensible default.

  2. Step 2
    Tune length and classes

    Drag the length slider until the entropy bits look comfortable. Toggle classes (uppercase / digits / symbols) and exclude ambiguous characters if you'll be reading from print.

  3. Step 3
    Copy or download

    Click Copy, paste into your password manager and forget it. For batch use, set bulk count and download a .txt list.

In-depth guide

Complete guide to picking a strong password

This tool generates passwords, passphrases and PINs entirely in your browser using a cryptographically secure RNG. Every result comes with an honest entropy number so you can tell exactly how strong it is — not just a vague colored bar.

Which mode should I use?

  • Password — random characters from your chosen classes. Densest entropy per char, best for accounts a password manager will autofill.
  • Passphrase — random words. Easier to read aloud and type on phones. Default 5 words (~46 bits) is fine for everyday use; 7-9 words for master / disk-encryption passwords.
  • PIN — numeric only. Use for device locks; 6 digits is the modern minimum.
  • Pronounceable — alternating consonant-vowel syllables for password that's easier to dictate. Lower entropy per char — set the length accordingly.

Reading the entropy number

Entropy bits = length × log2(charset_size). A few benchmarks (assuming a fast attacker at 100 billion guesses/sec):

  • < 40 bits — minutes to hours. Don't reuse, change immediately.
  • 40-60 bits — days to years against a sophisticated attacker. Fine for low-stakes accounts.
  • 60-80 bits — centuries. Strong for any individual account.
  • 80+ bits — effectively unbreakable against today's hardware. Use for master / vault keys.

Using the quick presets

The presets are tuned for common real-world contexts. Pick one to bypass option-tweaking:

  • Web account — 16 chars with all classes. Default-safe for any signup.
  • Wi-Fi — 20 chars, no ambiguous characters and no symbols (some routers reject them).
  • DB-safe — drops symbols that need escaping in SQL strings.
  • Vault token — 32 chars, all classes. Use when storing inside a password manager.
  • Passphrase 6 — 6-word, dash-separated. Good middle ground for memorability.

Privacy and trust

Generated locally. Bytes from crypto.getRandomValues, no server round-trip. The optional breach check uses HaveIBeenPwned's k-anonymity API: only the first 5 characters of your password's SHA-1 hash are sent, and matching is done locally.

Best practice: generate once here, paste straight into your password manager (1Password, Bitwarden, Apple Passwords, browser built-in), and never look at the password again.

Frequently asked questions

Where does the randomness come from?

Every character (or word in passphrase mode) is picked using crypto.getRandomValues — your browser's cryptographically secure PRNG. We use rejection sampling to avoid modulo bias, so each character of the chosen alphabet is equally likely.

What does 'entropy bits' mean and how many should I aim for?

Entropy is log2(charset_size) × length. 60 bits is comfortably strong against everyday attackers; 80+ bits is overkill for almost any individual account. For high-value vault master passwords, aim for 100+ bits — easiest reached with a 7-9 word passphrase.

Random password vs passphrase — which is better?

Random passwords are denser (more entropy per character) but hard to type. Passphrases are typeable on phones and TVs and you can memorize a few words. For accounts you autofill from a password manager, random. For your master password or Wi-Fi, passphrase.

Is the HaveIBeenPwned check safe?

Yes — it uses k-anonymity. Only the first 5 characters of the SHA-1 hash of your password are sent. The API returns a list of matching suffixes and we check locally. Your full password never leaves the device. The check is opt-in.

Why does the same options + Generate produce a different password every time?

Because the source of randomness is fresh CSPRNG bytes each time. There is no seed, no Math.random, and no server-side cache.

Can I bulk generate for testing or seeding a vault?

Yes — set 'Bulk count' up to 1 000 and download the result as a plain text file. Nothing is uploaded.

What is the 'no ambiguous' option?

Strips characters that look identical in many fonts: 0/O, 1/l/I, |/`/'. Use this for passwords you'll type from a printed copy or read aloud.

Keep exploring

More tools you'll like

Hand-picked utilities that pair well with the one you're on — all free, client-side, and zero-signup.

More generators

See all →

Popular across EpitomeTool

Browse all →
Browse all 59+ free tools