Password Generator Online — Free Strong Random Password Tool

Generate cryptographically secure passwords with custom length, character classes, and ambiguous-character filtering. Powered by the browser's Web Crypto API — passwords are produced entirely on your device and never sent anywhere.

Length16

Count

Very Strong · 104 bits

Options

Include uppercase (A-Z)

Include lowercase (a-z)

Include digits (0-9)

Include symbols (!@#$...)

Exclude ambiguous (0, O, l, 1, I)

Charset size: 90 · Entropy: 104 bits

Generated Passwords

Click Generate to produce a password.

What is a Password Generator?

A password generator produces unpredictable strings of characters using a cryptographically secure random number source. Instead of relying on memorable but guessable patterns (Summer2024!), a generator gives you 16+ characters of high-entropy noise that resists dictionary attacks, credential stuffing, and offline brute-force.

The OpenFormatter password generator pulls randomness from crypto.getRandomValues() — the same Web Crypto primitive used by TLS, WebAuthn, and your browser's session cookies. There is no backend; nothing about the password leaves the tab it is generated in.

How to generate a password online — 4 steps

Pick a length. 16 characters is a comfortable default for online accounts; bump to 24+ for long-lived secrets, encryption keys, or root credentials.
Choose character classes. Leave all four (upper, lower, digits, symbols) on for maximum entropy. Toggle Exclude ambiguous if you may have to read or transcribe the password.
Click Generate. The Web Crypto API is sampled and a fresh password appears in the output panel. Set count up to 10 to produce a batch in one click.
Copy and store. Hit Copy and paste the password into your password manager or signup form. Never email or Slack a generated password in plaintext.

Sample output

# 16 chars, all classes, ambiguous excluded
xK8#qP2$mR9wT4vH

# 24 chars, all classes
9Bn!fJ7@Lz3KQwT6#hVrE2yP

# 32 chars, alphanumeric only (e.g. for an API key)
8K2qL9PmRxT5wH3JfNbVc7Yz4DgQpA6X

Cryptographic Randomness

Backed by crypto.getRandomValues — the same OS CSPRNG used by TLS handshakes and WebAuthn. Math.random is never used.

Fully Configurable

Length 8–128, four character classes, ambiguous-character filter, and 1–10 passwords per click. Live entropy readout reflects every change.

Zero Network Calls

Generation is pure JavaScript in your browser tab. No telemetry, no logging, nothing transmitted. Verify in DevTools Network.

Common use cases

check_circleCreating new account passwords for SaaS, GitHub, AWS, and email providers
check_circleGenerating SSH key passphrases or GPG key passphrases
check_circleProducing long random API keys, webhook secrets, and JWT signing keys
check_circleRotating database, Redis, RabbitMQ, and message-broker credentials
check_circleSeeding .env files for local development with non-default secrets
check_circlePre-generating one-time recovery codes or invite tokens
check_circleCreating WiFi passphrases for guest networks and home routers
check_circleProducing temporary share-link passwords for Dropbox, Google Drive, or 1Password share

Why use Web Crypto rather than Math.random()?

JavaScript's Math.random() is a non-cryptographic PRNG — implementations like V8's xorshift128+ are fast but produce output that can be reverse-engineered from a handful of samples. A password seeded by Math.random can be predicted by an attacker who observes any other random value the page emits. crypto.getRandomValues(), by contrast, draws from the operating system CSPRNG (/dev/urandom on Linux, BCryptGenRandom on Windows, SecRandomCopyBytes on macOS) and is the only source of randomness suitable for secrets. Every password this tool generates uses the latter.

Need other secure-by-default generators?

Pair the password generator with the rest of OpenFormatter's browser-side security tools — UUIDs, hashes, and random numbers, all generated locally.

UUID Generator Hash Generator Random Number Generator

Frequently Asked Questions

How is the randomness generated?

The generator uses crypto.getRandomValues(new Uint32Array(length)) — the Web Crypto API exposed by every modern browser. This pulls from the operating system’s cryptographically secure pseudo-random number generator (CSPRNG), the same source used by TLS, WebAuthn, and signed cookies. It is unpredictable and suitable for password material — Math.random() is not.

What length should I use?

For online accounts behind rate-limited login forms, 16 characters with mixed classes (~96 bits of entropy) is comfortably strong. For long-lived secrets, API keys, root credentials, or anything an attacker could brute-force offline (encrypted backups, password vault master), use 24–32 characters or longer.

Are passwords sent to a server?

No. Generation runs entirely in JavaScript inside your browser tab. Open DevTools → Network and click Generate — you will see zero requests. Nothing about the password (including length or character classes) is logged or transmitted.

How is entropy calculated?

Entropy in bits = length × log2(pool size). A 16-character password drawn from a 94-character pool (upper + lower + digits + symbols) has 16 × log2(94) ≈ 105 bits — far beyond what GPU clusters can brute-force. The strength badge in the toolbar reflects this number live as you change settings.

Should I use a passphrase instead?

Passphrases (six random Diceware words, ~77 bits) are easier to type and memorise than equivalent random strings, so they are excellent for things you must type by hand (laptop login, password manager master). For anything stored in a vault or pasted from one, a 20+ character random password is shorter and equally secure.

Can I generate batches?

Yes — set the count up to 10 and one password is produced per line. This is handy when seeding test fixtures, rotating service-account credentials, or pre-generating recovery codes.

What characters are excluded with the "ambiguous" toggle?

Toggling Exclude ambiguous removes 0, O, o, 1, l, I, and | from the pool. These look identical in many fonts and cause friction when a password is read aloud or copied from a printed slip. Excluding them costs only a tiny amount of entropy and is recommended whenever the password will be spoken or transcribed.

How does this compare to LastPass or 1Password generators?

The generation algorithm is identical — all use the same OS CSPRNG. The difference is workflow: a password manager stores the result, this tool does not. Use OpenFormatter when you need a one-off password (a temporary share link, a test fixture, an SSH key passphrase) without opening your vault, then store any keeper in your manager.