What the Password Generator produces
The Password Generator creates strong, random passwords ready to drop into any account or password manager. Hit Generate and you get something like:
kT9$mB&pQ2zX5*nF · Wx7!hY#rL3eA8@cV · pN4?jM%bU6kQ$gZ
Each password is 16 characters by default — long enough to resist brute-force attacks, short enough to type if you ever have to. Length, character classes (uppercase, lowercase, digits, symbols), and quantity are all adjustable. The generator runs entirely in your browser; nothing crosses the network and no password is ever stored.
Why use a password generator instead of making one up
Humans are predictably bad at randomness. Studies of leaked password databases consistently find the same patterns: birth years, names, sequences from the keyboard (qwerty, 12345), single dictionary words with a digit and exclamation mark added. Pick any "random" string yourself and there's a high chance an attacker has seen the pattern before.
A password generator solves three problems at once:
- Real randomness — the output is generated from cryptographic randomness, not from anything you can guess about its source
- Character class compliance — most accounts require at least one uppercase letter, one digit, and one symbol; the generator satisfies these automatically
- Speed — you can produce a fresh password in under a second and paste it straight into a password manager, with no temptation to reuse
The "reuse" problem matters more than people realize. Around 65% of internet users admit to reusing the same password across multiple sites. Once one site gets breached, attackers run those leaked credentials against every other major service — credential stuffing accounts for the majority of automated account takeover attacks. A generator removes the friction that makes reuse tempting in the first place.
How the generator works
Under the hood, the Password Generator uses crypto.getRandomValues() — your browser's cryptographically secure random number generator. This is meaningfully different from Math.random(), which is deterministic and unsuitable for security purposes.
The output of crypto.getRandomValues() is suitable for real account passwords. The same API is used to generate session tokens, encryption keys, and other security-sensitive values in production web applications.
Generation proceeds character by character: the generator samples the chosen alphabet uniformly at random, applies any constraints you set (must include a symbol, must include a digit), and concatenates the result. If you ask for a fresh password it samples again from scratch — there's no relationship between consecutive outputs.
An important detail: the generator will, by default, ensure your password contains at least one character from each enabled class. Without this guarantee, a 16-character password from the full 94-character ASCII alphabet might occasionally lack a symbol, which then fails site-imposed complexity requirements.
Customizing the output
The defaults work for most cases, but every option matters in specific scenarios:
| Option | Default | Range | When to change it |
|---|---|---|---|
| Length | 16 | 4–64 | Increase to 20+ for crypto wallets, master passwords, root accounts |
| Uppercase A–Z | On | On / Off | Off only when a site refuses uppercase (rare) |
| Lowercase a–z | On | On / Off | Always leave on |
| Digits 0–9 | On | On / Off | Always leave on |
| Symbols !@#$… | On | On / Off | Off when a site rejects them; bump length to 20 to compensate |
| Avoid ambiguous | Off | On / Off | On when you'll have to type the password manually (excludes O, 0, I, l, 1) |
For most websites, 16 characters across all four character classes is plenty. The math: 16 characters × ~94 possible symbols per position ≈ 1031 possible combinations. A modern GPU farm running ~100 billion guesses per second would still need on the order of trillions of years to exhaust the space.
For password manager master passwords, crypto-wallet seed phrases, and similarly high-stakes credentials, pushing length to 20–24 is reasonable. The cost of remembering one extra-long password (you only have one) is much lower than the cost of someone cracking it.
Best practices and considerations
A strong password is necessary but not sufficient. The Password Generator handles the "make it random and strong" part; the full picture has a few more pieces:
- One unique password per site. Reuse is the #1 cause of compromised accounts even when individual passwords are strong.
- Use a password manager. 1Password, Bitwarden, KeePass — all of them. The whole point of a generator is that you don't have to remember its output; the manager does.
- Turn on two-factor authentication. Even a leaked password doesn't grant access if 2FA is on. Authenticator apps beat SMS where supported.
- Skip "password complexity questions." Memorable but obscure passphrases (four random words from a dictionary, ~25 characters) are fine for the very few accounts you genuinely need to type — laptop login, phone passcode. Generated random strings are for everything else.
- Don't write passwords in plain text files, sticky notes, or unencrypted notes apps. The password manager exists for this reason.
About length vs complexity: a 20-character lowercase-only password is harder to crack than a 12-character password with all symbols. Length wins. If a site limits both, prioritize getting to 16+ characters before worrying about character variety.
One more thing: don't trust password strength meters on signup pages. Most of them are crude — they reward "P@ssw0rd!" because it has the requested character classes, but it's one of the most-cracked passwords in existence. A truly strong password is one that's both long and unpredictable, and a strength meter can only verify the first half. The Password Generator's output is unpredictable by construction, so any password it produces will easily clear any strength meter you encounter.
Worth knowing about passphrases: a string of four or five random English words (correcthorsebatterystaple is the famous example) can be both memorable and secure, with roughly 50–70 bits of entropy. They're useful for the small set of passwords you genuinely have to type from memory — your password manager's master password, your laptop login, your phone passcode. For everything else, randomly-generated character strings from the Password Generator are shorter, more compatible with site requirements, and equally strong. Use both: passphrases for the few you remember, generated strings for the hundreds you don't.
Related generators
Building a security toolkit or test fixture? A few related Microapp generators round it out:
- UUID Generator — for unique identifiers in databases, API requests, and session tracking. Random v4 by default; cryptographically suitable.
- Random Number Generator — when you need bounded random numbers (dice rolls, lottery picks, sample sizes) rather than character strings.
- MD5 Hash Generator and SHA-256 Generator — for hashing passwords, files, or strings (note: don't store user passwords as raw MD5/SHA-256; use bcrypt or argon2 server-side).
- Email Generator — placeholder addresses for testing. Use the generated addresses with the password generator output for full test fixtures.
Frequently asked questions
Are these passwords actually secure for real accounts?
Yes. The generator uses crypto.getRandomValues(), which is the same secure RNG used to generate session tokens and encryption keys in production apps. A 16-character password from this generator has roughly 1031 possible values — far beyond what current hardware can brute-force. For everyday accounts, master passwords on password managers, and crypto wallet passphrases, the output is suitable.
Is the generated password sent to any server?
No. Generation runs entirely in your browser using JavaScript. Nothing crosses the network. The Microapp server has no record of any password ever generated.
If I generate the same options twice, will I get the same password?
No — that's the point. Each click produces a fresh random sample. There's no relationship between consecutive outputs, even with identical settings.
Should I use the same generated password for multiple accounts?
Never. Reusing passwords across sites is the leading cause of credential stuffing attacks (where leaked credentials from one breach are tried against other services). Generate one per account and store them in a password manager.
What's the strongest setting?
For typical accounts, 16 characters with all four character classes is plenty. For master passwords, encryption keys, or anything you'd consider catastrophic if compromised, push to 20–24 characters with all classes enabled. Beyond that the marginal security gain shrinks.
Why does my bank reject the generated password?
Some sites have legacy character-set restrictions — they reject specific symbols (often $, %, &) or limit length to 12. Turn off symbols and bump the length to 20+ to compensate. That gives you roughly equivalent strength using only letters and digits.
What about "passphrases" — four random words?
Passphrases (correcthorsebatterystaple style) are great for the very few passwords you have to type from memory: laptop login, password manager master password, phone passcode. For everything else, a random string from this generator is shorter, more compatible with site requirements, and equally strong. Use both — the right tool for the right job.
Why are some generated passwords easier to type than others?
Pure chance. The generator samples uniformly from the chosen alphabet, so any individual password might happen to mix similar characters (lots of Os and 0s) or alternate awkwardly between cases. If you'll be typing the password manually rather than copy-pasting, generate a few and pick one that feels right — or enable the "avoid ambiguous characters" option to filter out the trickiest combinations.