Password Generator
A strong random password, made on your device and never stored.
The best password is one nobody can guess and nobody has seen, including the site that made it. This tool builds a strong random password entirely in your browser, using your device's secure random generator. Set the length, choose the characters, and copy it straight into your password manager. Nothing is stored, and nothing is sent anywhere.
Generated in your browser. Paste it straight into your password manager; nothing is stored or sent.
Turn on JavaScript to generate passwords. Nothing is sent anywhere; passwords are made on your device, never stored.
How to use it
Three choices and a copy. The defaults are already strong, so you can press Generate and paste, or adjust first.
Longer is stronger
Drag the slider to the length you want. Twenty characters or more is a good default for anything kept in a password manager, since you never type it by hand.
Keep the mix wide
Leave lower case, upper case, digits and symbols on for the strongest result. Turn one off only if a site refuses it, and turn on avoid look-alikes if you will need to read the password by eye.
Paste it into your manager
Press Generate until you have one you are happy with, then Copy and paste it straight into your password manager as you create or change the account. Do not try to memorise it.
Why this is safe
A password tool is only as trustworthy as what it does with the password. This one is built to do as little as possible.
Every password is made on your device using the browser’s secure random generator, the same kind of randomness used for encryption keys. It is shown on screen and put on your clipboard when you ask, and that is all. There is no server in the loop, no account, no logging, and nothing written to storage. Close the tab and the password is gone unless you saved it yourself.
The strongest proof is simple: turn off your connection and the tool still works, because there was never anything to send.
Once you generate a password, its only safe home is your password manager. Paste it there as you set up the account, and let the manager hold it. The clipboard still holds it until you copy something else, so copy something harmless afterwards if you share your screen.
How strong is strong enough
The strength readout shows bits of entropy, which is the honest measure of how hard a password is to guess.
Each character you add multiplies the number of possible passwords, so length raises strength faster than any clever substitution. A random password of twenty mixed characters is already far beyond what any computer can brute-force, and the meter will say so. Complicated-looking short passwords, the kind people try to memorise, are usually weaker than they look.
This is why the advice pairs with a password manager. When a tool remembers your passwords for you, there is no cost to making each one long and random, and every account can have its own. The Lock and Key guide walks through setting that up so a generated password has somewhere to live.
Common questions
The questions people ask before they trust a tool with the keys to everything.
Is the password saved or sent anywhere?
No. It is built in your browser using your device's secure random generator, shown only on screen, and never sent to any server or written to storage. Reload the page and it is gone. The copy button puts it on your clipboard for you to paste, and nothing more.
Why should I trust a password from a website?
Because this one never leaves your device, you do not have to trust the site with much at all. The page makes the password locally and keeps no record of it. You can even turn off your connection first and it still works, which is a good test of any tool that claims to keep nothing.
How long should a password be?
Longer beats complicated. For an account you log into through a password manager, twenty characters or more is a sensible floor, and there is little reason to go short when you never have to type it. The strength readout shows the bits of entropy so you can see length doing the work.
Do I need symbols and capitals?
They help, but length helps more. A long password drawn from lower case, upper case and digits is already strong on its own. Symbols add a little more and are worth keeping on unless a particular site refuses them, which is why the toggles are there.
What does avoid look-alikes do?
It drops characters that are easy to confuse, such as the letter O and the number zero, or the letter l and the number one. It makes a password easier to read aloud or copy by hand, at the cost of a little strength, so leave it off unless you need it.
Should I reuse a strong password?
No. The point of a generated password is that every account gets its own, so one breach cannot open the others. Make a fresh one for each account and let a password manager remember them, which the Lock and Key guide sets up.
How is this different from the Code Word Generator?
A password defends an account against a computer guessing billions of times, so it is long, random and typed by your manager. A code word is a short phrase you say aloud to verify a person on a call. Different jobs, different tools.