Skip to content
Kordu Tools
Security & Privacy Runs in browser Updated 30 Mar 2026

Password Generator

Generate cryptographically secure passwords with custom length (8–128), character sets, entropy display, and exclude-ambiguous option. Runs in your browser.

Click Generate
Loading rating…

How to use Password Generator

  1. Set your password length

    Use the length slider or type a value between 8 and 128. For most accounts, 16 characters is the minimum recommendation; use 24+ for high-value accounts.

  2. Choose character sets

    Toggle uppercase letters, lowercase letters, numbers, and symbols independently. Including all four character types maximizes entropy.

  3. Optionally exclude ambiguous characters

    Enable 'Exclude ambiguous' to remove visually similar characters (0, O, l, I, 1) — useful for passwords you need to read aloud or type manually.

  4. Click Generate

    Click Generate Password to create a new cryptographically random password. Each click generates a completely independent password.

  5. Check the strength indicator

    Review the entropy display and strength meter to ensure the generated password meets your security requirements.

  6. Copy to clipboard

    Click Copy to copy the password to your clipboard. Store it in a password manager — never reuse it across accounts.

Password Generator FAQ

Is this truly random?
Yes. The tool uses crypto.getRandomValues, a cryptographically secure random number generator built into all modern browsers. It is seeded by the operating system's hardware entropy source — the same randomness used in production security software. It is not Math.random() and is suitable for generating real passwords.

Are my generated passwords stored anywhere?
No. Passwords are generated entirely in your browser and are never sent to a server, logged, or stored on disk. Close the tab and they are gone.

Is this tool safe to use?
Yes. Password generation is 100% client-side using crypto.getRandomValues. No data leaves your browser. The tool has no analytics that capture generated values.

Are inputs or results sent to a server?
No. There are zero network requests. The entire password generation process uses browser-native APIs with no outbound traffic.

What password length should I use?
Use 16+ characters for standard accounts, 24+ for financial and email accounts, and 32+ for master passwords and encryption keys. Longer is always better — prioritize length over complexity requirements.

What character sets should I include?
Include all four types (uppercase, lowercase, numbers, symbols) for maximum entropy per character. If a service restricts symbols, switch to uppercase + lowercase + numbers at a longer length to compensate.

What is entropy and why does it matter?
Entropy (in bits) measures how unpredictable a password is. Each additional bit doubles the number of guesses needed to crack it by brute force. 80 bits is strong for most uses; 128 bits is considered future-proof against known attacks.

Why should I use a password manager?
Strong passwords should be unique for every account. A password manager stores and autofills them, so you only need to remember one master password. Using the same password across accounts means a single breach exposes all of them.

How does this compare to LastPass or 1Password generators?
This tool uses the same underlying entropy source (crypto.getRandomValues) as any reputable password generator. The key advantage is that no data is transmitted — passwords stay local to your browser. Use it alongside a password manager for the best security posture.

Background

Generate cryptographically secure passwords in your browser using crypto.getRandomValues — the browser's hardware-backed random number generator, the same entropy source used by operating system CSPRNGs.

Customization options:

  • Length: 8 to 128 characters (16+ recommended for most accounts)
  • Character sets: uppercase (A–Z), lowercase (a–z), numbers (0–9), symbols (!@#$%^&*...) — toggle any combination independently
  • Exclude ambiguous: remove visually similar characters (0/O, 1/l/I) for passwords that need to be read aloud or typed manually
  • Entropy display: real-time calculation shows bits of entropy so you know exactly how strong your password is

Why crypto.getRandomValues? JavaScript's Math.random() is a pseudo-random number generator, not suitable for security. crypto.getRandomValues is seeded by the operating system's CSPRNG (hardware entropy), making it cryptographically secure and unpredictable.

Password strength context:

  • 40-bit entropy: breakable
  • 60-bit: acceptable for low-value accounts
  • 80-bit+: strong for most uses
  • 128-bit+: future-proof

All generation runs locally. Nothing is sent to any server.

Related tools

Password Breach Checker

Check if a password appeared in known data breaches using k-anonymity. Only the first 5 SHA-1 hash characters are sent — your password never leaves your browser.

Bcrypt Hash Generator

Generate bcrypt hashes with configurable cost factor (4–31). Auto-salted, rainbow-table resistant, fully browser-based. Recommended for secure password storage.

AES Encrypt

Encrypt text with AES-256-GCM, AES-CBC, AES-CTR, or AES-ECB in your browser. PBKDF2 key derivation, random IV, zero uploads.

UUID Generator

Generate cryptographically secure v4 and v7 UUIDs in bulk — copy individually or all at once, instantly in your browser.

Base64 Encoder/Decoder

Encode text or files to Base64 or decode Base64 strings back to plain text — real-time, fully in your browser.

Learn more

security

Strong Password Generator: How to Create Uncrackable Passwords in 2026

Generate secure passwords and passphrases with our free tool. Learn what makes a password strong, how crack time estimates work, and best practices for password security.

security

How Long Does It Take to Crack a Password in 2026?

See real password crack times by length and character set, from 4 to 20 characters, plus the defenses that actually matter.