Password generator

Uses crypto.getRandomValues with rejection sampling — nothing leaves your tab.

Click Generate

— 0 bits

Length 16

Uppercase A–Z Lowercase a–z Digits 0–9 Symbols !@#$%&*-_=+? Exclude ambiguous 0OIl1`'"\

Pronounceable mode (consonant + vowel pairs, lower entropy)

About strength & assumptions

Entropy is reported as bits = length × log2(charsetSize) — the theoretical maximum for a uniformly-random password drawn from the chosen charset. It does not account for human-memorable patterns, breach-list overlap, or attacker knowledge of the charset rules.

Qualitative labels follow common rules of thumb:

Weak: < 40 bits
Fair: 40 – 59 bits
Strong: 60 – 79 bits
Very strong: ≥ 80 bits

Pronounceable mode alternates consonants and vowels, so each character carries less entropy than the full charset would — the meter reflects this.

Random characters use crypto.getRandomValues(Uint32Array) with rejection sampling, so the distribution is unbiased even when the charset size does not divide 2³². Math.random is never used for password material.

No "secure" claims — strength depends entirely on how and where you use the password. Treat this as a generator, not a vault.