What is a passphrase and is it more secure than a random password?

A passphrase is a sequence of random words (e.g. 'correct-horse-battery-staple'). It is often more secure than a random-character password because length matters more than complexity, and it is far easier to remember. A 4-word passphrase from a large wordlist can have more entropy than a 12-character random password.

Are generated passwords sent to any server?

No. All password generation happens entirely in your browser using the Web Crypto API. No passwords or any data are ever sent to a server.

← Back to all tools

🔑 Password Generator

Cryptographically secure passwords using crypto.getRandomValues() — no patterns, no predictability.

🔑

Generated Password

— Strength

⚙

Options

Password Length

Character Types

Uppercase

A B C … Z

Lowercase

a b c … z

Numbers

0 1 2 … 9

Symbols

! @ # $ % ^ &

Extra Options

Exclude similar characters (i, I, l, L, 1, o, O, 0) Exclude ambiguous symbols ({ } [ ] ( ) / \ ' " ` ~) Must include at least one of each selected type

💬

Passphrase Generator

ℹ

Passphrases are easier to remember and often stronger than random passwords. Great for master passwords and encryption keys.

Number of Words

Separator

Capitalize each word

Generated Passphrase

📋

Bulk Password Generator

Generates multiple passwords at once using the same options set in the Password tab.

How many passwords?

🕐

Generation History

Session only

🔒

History is stored in memory only — it's cleared when you close the tab. Nothing is ever saved to disk.

Generate a password to see history here

📖

Why This Is Secure

This generator uses crypto.getRandomValues() — the browser's cryptographically secure random number generator, which is designed to be unpredictable even against adversaries. It uses rejection sampling to eliminate modulo bias, ensuring every character in the pool has an exactly equal chance of being selected.

🔒 crypto.getRandomValues()

✓ No modulo bias

✓ Zero server transmission

⚙️

How the Password Generator Works

This generator uses the browser's Web Crypto API (crypto.getRandomValues()) to produce cryptographically secure random passwords. Unlike Math.random() which is predictable, the Web Crypto API uses the operating system's entropy source — making the output suitable for security-critical applications.

You control the character set (uppercase, lowercase, numbers, symbols) and length. The generated password is never sent anywhere — everything runs locally in your browser. The strength indicator estimates entropy based on character set size and length.

Common use cases

Generating strong unique passwords for new accounts
Creating random secret keys and API tokens
Generating passphrases that are easier to remember but still secure
Producing random strings for testing and development

❓

Frequently Asked Questions

Are generated passwords stored anywhere?

No. Passwords are generated entirely in your browser using the Web Crypto API and are never transmitted to any server, logged, or stored. Once you close or refresh the page, they are gone.

How long should a password be?

16 or more characters is recommended for strong security. Longer passwords are exponentially harder to brute-force. For highly sensitive accounts such as email or banking, use at least 20 characters.

What makes a password strong?

A strong password combines uppercase and lowercase letters, numbers, and symbols, and is at least 16 characters long. Avoid dictionary words, personal information, and reusing passwords across sites.

How is this different from Math.random()?

Math.random() is not cryptographically secure and can be predicted with enough samples. This generator uses crypto.getRandomValues() — the browser's CSPRNG (Cryptographically Secure Pseudo-Random Number Generator) — which is unpredictable and safe for security-sensitive uses.

Should I use a passphrase or a random password?

Passphrases (e.g. "correct-horse-battery-staple") are easier to remember and can be just as secure as random passwords when using 4+ words. Random character passwords are better for automated systems where memorability doesn't matter. For human-memorized passwords, passphrases are often the better choice.

Do I need a different password for every site?

Yes. Reusing passwords means a breach on one site exposes all your accounts. Use a password manager (Bitwarden, 1Password) to store unique passwords for each site — you only need to remember one master password.