Password Generator
Generate cryptographically secure passwords using crypto.getRandomValues(). Customise length, character sets, and batch-generate up to 50 passwords. Passwords never leave your browser.
Why Human-Chosen Passwords Are the Problem
Every password security study reaches the same conclusion: people are terrible at creating random passwords. We gravitate toward words from our native language, names of people we love, dates that matter to us, and keyboard patterns like "qwerty" or "123456". Attackers know this. Dictionary attacks start with the most common 10 million passwords and work outward using substitution rules — "Password" becomes "P@ssw0rd" becomes "P@55w0rd!" within minutes. A password that feels complex to a human is still predictable to an automated attack. The only genuine solution is to remove human creativity from the process entirely and let a cryptographically secure random number generator do the work instead.
crypto.getRandomValues() — What Makes This Generator Secure
This generator uses crypto.getRandomValues() — the browser's W3C-specified Cryptographically Secure Pseudo-Random Number Generator (CSPRNG). Unlike Math.random(), which is seeded from a predictable state and is explicitly not safe for cryptographic use, crypto.getRandomValues() sources entropy from the operating system's hardware random number generator. This is the same entropy source used by TLS handshakes, SSH key generation, and GPG key creation. The tool also uses rejection sampling to prevent modulo bias — ensuring every character in the pool has exactly equal probability of selection, with no statistical skew that a sophisticated attacker could exploit.
Understanding Entropy — The Real Measure of Password Strength
The entropy display shows bits — calculated as length × log₂(pool size). The pool size is determined by which character classes are enabled: lowercase (26), uppercase (26), digits (10), symbols (~32). All four enabled gives a pool of 94. At 20 characters, that produces 20 × log₂(94) ≈ 131 bits of entropy. Each bit of entropy doubles the required guesses: 131 bits means 2^131 possible passwords. Even a cluster of a billion GPUs each attempting a billion passwords per second would need longer than the age of the universe to exhaust this space. The strength labels (Very Weak through Maximum) map directly to these entropy thresholds, not to superficial pattern rules.
Single Password vs Batch — When to Use Each Mode
Single Password mode is the primary workflow: generate one password, check the entropy and strength bar, adjust length and character sets until you are satisfied, then copy directly into your password manager. The password regenerates automatically as you change any setting. Click the password display or the Copy button to copy — the display border turns green to confirm the copy succeeded. Batch Generate mode creates 5, 10, 20 or 50 passwords at once — all with the same settings, all cryptographically independent. Use batch mode for provisioning multiple user accounts, generating a set of API keys, or creating temporary passwords for a new team where each member needs a unique credential.
The Right Settings for Different Use Cases
- General online accounts (email, social media): 16–20 characters, all four character sets — targets 100+ bits entropy
- High-value accounts (banking, crypto wallets): 24–32 characters, all four sets — targets 155+ bits entropy
- Password manager master password: 24+ characters, all sets — the one password you must memorise; consider writing it down and storing it physically in a secure location
- Typed passwords (Wi-Fi, device PINs): Enable "Exclude ambiguous chars" to remove O/0, l/1/I, S/5 — prevents misreading when typing by hand
- API keys and secrets: 32–48 characters, all sets — use batch mode to generate sets of keys for different environments (dev, staging, prod)
- Temporary user passwords: Batch mode, 16 characters, all sets — require change at first login
After Generating — Safe Handling Practices
A generated password is only as secure as how you handle it after generation. Paste it directly from your clipboard into your password manager — never type it out, never email it to yourself, never store it in a notes app or text file. Use our Password Strength Checker to analyse any existing passwords you want to evaluate before replacing them. For development workflows where passwords need to be hashed for storage, use our Bcrypt Hash Generator to hash them correctly with a salt before storing in your database.
Compliance — Meeting Password Policy Requirements
Most organisational password policies and industry standards have minimum requirements that this generator exceeds by default. PCI-DSS requires 12+ characters with mixed types; HIPAA recommends 12+ with complexity; NIST SP 800-63B recommends length over complexity rules and checking against breach databases. A 16-character password with all four character sets enabled satisfies all of these standards simultaneously. For ISO 27001 compliance and SOC 2 audits, the ability to demonstrate that passwords were generated using a CSPRNG (rather than chosen by users) strengthens your security posture documentation.
Generated Entirely in Your Browser
This tool runs entirely using the Web Crypto API (crypto.getRandomValues()) in your browser. Passwords are generated in memory and never transmitted to ToollyX servers, never logged, and never stored in cookies or localStorage. Once you navigate away, the generated password is gone. This architecture makes the tool safe for generating passwords for banking accounts, email accounts, and cryptocurrency wallets — the highest-sensitivity use cases where any server-side generation would be an unacceptable risk.
✓Verified by ToollyX Team · Last updated June 2026