What is a passphrase and is it more secure than a random password?

A passphrase is a sequence of random words (e.g. 'correct-horse-battery-staple'). It is often more secure than a random-character password because length matters more than complexity, and it is far easier to remember. A 4-word passphrase from a large wordlist can have more entropy than a 12-character random password.

Are generated passwords sent to any server?

No. All password generation happens entirely in your browser using the Web Crypto API. No passwords or any data are ever sent to a server.

← Back to all tools

🔑 Password Generator

Cryptographically secure passwords using crypto.getRandomValues() — no patterns, no predictability.

🔑

Generated Password

— Strength

⚙

Options

Password Length

Character Types

Uppercase

A B C … Z

Lowercase

a b c … z

Numbers

0 1 2 … 9

Symbols

! @ # $ % ^ &

Extra Options

Exclude similar characters (i, I, l, L, 1, o, O, 0) Exclude ambiguous symbols ({ } [ ] ( ) / \ ' " ` ~) Must include at least one of each selected type

💬

Passphrase Generator

ℹ

Passphrases are easier to remember and often stronger than random passwords. Great for master passwords and encryption keys.

Number of Words

Separator

Capitalize each word

Generated Passphrase

📋

Bulk Password Generator

Generates multiple passwords at once using the same options set in the Password tab.

How many passwords?

🕐

Generation History

Session only

🔒

History is stored in memory only — it's cleared when you close the tab. Nothing is ever saved to disk.

Generate a password to see history here

📖

Why This Is Secure

This generator uses crypto.getRandomValues() — the browser's cryptographically secure random number generator, which is designed to be unpredictable even against adversaries. It uses rejection sampling to eliminate modulo bias, ensuring every character in the pool has an exactly equal chance of being selected.

🔒 crypto.getRandomValues()

✓ No modulo bias

✓ Zero server transmission

❓

Frequently Asked Questions

Are generated passwords stored anywhere?

No. Passwords are generated entirely in your browser using the Web Crypto API and are never transmitted to any server, logged, or stored. Once you close or refresh the page, they are gone.

How long should a password be?

16 or more characters is recommended for strong security. Longer passwords are exponentially harder to brute-force. For highly sensitive accounts such as email or banking, use at least 20 characters.

What makes a password strong?

A strong password combines uppercase and lowercase letters, numbers, and symbols, and is at least 16 characters long. Avoid dictionary words, personal information, and reusing passwords across sites.

How is this different from Math.random()?

Math.random() is not cryptographically secure and can be predicted with enough samples. This generator uses crypto.getRandomValues() — the browser's CSPRNG (Cryptographically Secure Pseudo-Random Number Generator) — which is unpredictable and safe for security-sensitive uses.

Should I use a passphrase or a random password?

Passphrases (e.g. "correct-horse-battery-staple") are easier to remember and can be just as secure as random passwords when using 4+ words. Random character passwords are better for automated systems where memorability doesn't matter. For human-memorized passwords, passphrases are often the better choice.

Do I need a different password for every site?

Yes. Reusing passwords means a breach on one site exposes all your accounts. Use a password manager (Bitwarden, 1Password) to store unique passwords for each site — you only need to remember one master password.