UtilityKit

500+ fast, free tools. Most run in your browser only; Image & PDF tools upload files to the backend when you run them.

Password Generator

Generate strong random passwords

About Password Generator

Password Generator on UtilityKit creates cryptographically strong random passwords entirely in your browser using the Web Crypto API's window.crypto.getRandomValues — the same entropy source used by security software and operating system key generators. Choose a length from 8 to 128 characters, toggle character sets (uppercase, lowercase, digits, symbols), exclude ambiguous characters like 0, O, l, and 1 that are hard to read in certain fonts, and require at least one character from each enabled set to guarantee charset compliance. Generated passwords are never transmitted to any server, never logged, and vanish when you close the tab. The tool is designed for situations where you need a strong, unique password immediately — creating a new account, rotating a shared service credential, generating a Wi-Fi passphrase, or rotating a credential — without exposing the value to a server.

Why use Password Generator

Cryptographic Entropy

Uses window.crypto.getRandomValues — OS-level entropy — not Math.random(). The difference matters: Math.random() is predictable; the Web Crypto API is not.

Zero Transmission

Generated passwords are never sent to any server. The entire generation process runs in your browser and the result exists only in your clipboard and on screen.

Custom Charset Control

Enable or disable uppercase, lowercase, digits, and symbols independently to match the exact requirements of any password policy without manual character-by-character editing.

Ambiguous Character Exclusion

One-click removal of characters that look alike (0/O, l/1/I) prevents transcription errors when a password must be read from a screen or printed page.

Strength Feedback

An entropy-bit indicator and crack-time estimate give actionable feedback — you can see exactly how much stronger a 20-character password is than a 12-character one.

Instant and No Install

No extension, no app, no account. Works in any browser on any device — generate a password at the command line, from a shared computer, or on mobile in seconds.

How to use Password Generator

  1. Set your desired password length using the slider or number input. Common recommendations: 16+ characters for most accounts, 24+ for admin credentials, 32+ for API keys and service accounts.
  2. Toggle the character sets you need: uppercase (A–Z), lowercase (a–z), digits (0–9), and symbols (!@#$%^&* etc.). At minimum, enable two character sets for any production password.
  3. Optionally check 'Exclude ambiguous characters' to remove 0, O, l, 1, I from the charset — useful for passwords that will be read aloud or typed manually from a screen.
  4. Click Generate. The tool uses window.crypto.getRandomValues to draw from OS-level entropy — not Math.random() — ensuring cryptographic unpredictability.
  5. Review the password strength indicator showing estimated entropy bits and crack-time estimate for your selected settings.
  6. Click Copy to clipboard, then immediately paste into your target field or password manager. Generate a new password if you need an alternative without adjusting settings.

When to use Password Generator

  • When creating a new account on any service and you want a unique, strong password that is not reused from another site.
  • When rotating a compromised or weak password for a critical service — database root, cloud admin console, or API key — and you need something strong immediately.
  • When generating a Wi-Fi passphrase for a new network and you want something long enough to be secure but can exclude ambiguous characters for easier manual entry on devices.
  • When a system requires a password that satisfies specific complexity rules (must include symbol, no ambiguous chars, minimum 16 chars) and you want to match those rules precisely.
  • When you need a temporary password to hand to a new team member before they set their own, and you want it strong enough to be safe during the handoff window.
  • When testing authentication systems and you need a large batch of valid passwords matching defined complexity rules for load testing or integration test fixtures.

Examples

Strong admin password (all charsets, 24 chars)

Input: Length: 24 | Upper: on | Lower: on | Digits: on | Symbols: on | Exclude ambiguous: off

Output: Example output: mK#7vP@qR2sX!nL5wY&jD0eF — ~152 bits of entropy. Suitable for admin console, database root, or privileged service account.

Readable Wi-Fi passphrase (no ambiguous, 20 chars)

Input: Length: 20 | Upper: on | Lower: on | Digits: on | Symbols: off | Exclude ambiguous: on

Output: Example output: GkM3NpV8rTxW5HzQ9bYc — ~118 bits of entropy. Easy to type on a TV remote or gaming console without misreading 0/O or l/1.

API key–style token (alphanumeric, 32 chars)

Input: Length: 32 | Upper: on | Lower: on | Digits: on | Symbols: off | Exclude ambiguous: off

Output: Example output: aB3cD7eF1gH4iJ8kL2mN5oP9qR6sT0uV — ~190 bits of entropy. Suitable as a randomly generated API key or session token.

Tips

  • Generate passwords of at least 20 characters for any account you consider critical — the marginal length cost is zero, and longer passwords are exponentially harder to brute-force.
  • Enable all four character sets (upper, lower, digits, symbols) by default and only disable symbols when the target site explicitly rejects them — switching to a longer length to compensate.
  • After generating, copy immediately and paste into your password manager's notes field before pasting into the target site — reduces the risk of losing the password if the site rejects it for some reason.
  • Use the ambiguous-character exclusion only for passwords that will be read aloud or typed manually; for passwords pasted directly from a manager, keep all characters enabled for maximum entropy.
  • If you need multiple passwords (e.g. for a batch of test accounts), click Generate repeatedly — each click draws new entropy independently and produces a fully different password.

Frequently Asked Questions

Is this password generator truly random?
Yes. The generator uses window.crypto.getRandomValues, which draws from the operating system's cryptographically secure pseudorandom number generator (CSPRNG) — the same entropy source used by TLS, SSH key generation, and cryptographic libraries. It is not based on Math.random(), which is unsuitable for security-sensitive generation.
Is my generated password stored anywhere?
No. Passwords are generated in memory in your browser and displayed on screen. Nothing is transmitted to any server, logged in any database, or stored in browser storage. When you navigate away or close the tab, the password is gone.
How long should my password be?
Security researchers and NIST SP 800-63B recommend at least 15–16 characters for human-chosen passwords, though a randomly generated 12-character password with mixed charset already provides ~70 bits of entropy. For admin accounts, API keys, and database passwords, 24–32 characters is a practical standard.
Why does the 'Require one from each set' option exist?
A random draw might occasionally produce a password using only one character set by chance. The enforce option runs a post-generation check and replaces characters to guarantee at least one from each enabled set — needed to satisfy strict password policies that mandate complexity minimums.
What does entropy mean in the strength indicator?
Entropy (measured in bits) represents the number of possible passwords with your current settings. Each bit doubles the search space: 70 bits = 2^70 possible passwords. Modern offline attacks can try ~10^12 passwords per second, so 70 bits provides roughly 35 years of resistance with current hardware.
Should I exclude symbols if the site doesn't allow them?
Yes — if a service rejects symbol characters, disable the symbols toggle before generating. Compensate by increasing length: a 20-character alphanumeric password provides approximately as much entropy as a 16-character password with symbols.
Can I generate multiple passwords at once?
Click Generate repeatedly to produce multiple candidates without changing any settings. Each click draws fresh entropy and produces a completely independent password.
How does this compare to a password manager's built-in generator?
Both use cryptographic entropy and produce equally strong results. The advantage of a dedicated tool is availability — no extension needed, works from any browser or shared machine, and you can verify the source charset and length settings directly. Always store the generated password in a password manager immediately after creation.

Explore the category

Username Generator Generate random username ideas quickly MAC Address Generator Generate random MAC addresses in multiple formats Color Palette Generator Generate random five-color hex palettes, lock favorites, and copy colors instantly. Random Number Generator Generate random integers with custom min/max range, quantity, and unique option. Diceware Passphrase Generator Generate secure, memorable passphrases using the Diceware word list — strong enough for real security use. Would You Rather Generator Generate random 'Would You Rather' dilemma questions for ice-breakers, party games, and conversations.
Hashing Algorithms Explained: MD5, SHA-256, bcrypt — When to Use Which MD5 and bcrypt are both called hashing algorithms, but they serve completely different purposes. This guide explains what makes a hash funct Jan 2026 · 10 min Argon2 vs Bcrypt vs Scrypt: Which Password Hash Should You Use? Modern password hashing has three serious contenders. We compare Argon2, bcrypt, and scrypt on memory hardness, GPU resistance, ecosystem su May 2026 · 9 min How Bcrypt Hashes Passwords (And Why Cost Factor Matters) Bcrypt is the password-hashing standard most modern apps still rely on. Here's how the Blowfish-based KDF works, why the cost factor matters Mar 2026 · 9 min

Glossary

CSPRNG
Cryptographically Secure Pseudorandom Number Generator — an algorithm that produces random numbers indistinguishable from true randomness for cryptographic purposes. window.crypto.getRandomValues is a browser CSPRNG backed by OS entropy.
Entropy (bits)
A measure of unpredictability expressed as log2(possible combinations). A password with 70 bits of entropy has 2^70 possible values — the larger the number, the more resistant the password is to brute-force attacks.
Character Set
The pool of characters a password is drawn from. Typical sets are uppercase (A–Z, 26 chars), lowercase (a–z, 26 chars), digits (0–9, 10 chars), and symbols (!@#$%^&* etc., ~32 common chars). Larger pools increase entropy per character.
Brute-Force Attack
A password-cracking method that tries every possible combination of characters systematically. The time required grows exponentially with password length and charset size, which is why entropy is the primary measure of password strength.
Ambiguous Characters
Characters that look visually similar in many fonts and can be misread when transcribed manually: 0 (zero) and O (capital O), 1 (one) and l (lowercase L) and I (capital i). Excluding them reduces transcription errors without meaningful entropy loss for long passwords.
NIST SP 800-63B
A US National Institute of Standards and Technology publication that provides guidelines for digital identity and password policy. Key recommendations include favouring length over complexity rules and not requiring periodic rotation without evidence of compromise.