Is this password generator truly secure?

Yes. We use the Web Crypto API's crypto.getRandomValues(), which is a cryptographically secure random number generator (CSPRNG). This is the same technology used by password managers and security applications. We do NOT use Math.random(), which is predictable and insecure.

Are my generated passwords stored or sent anywhere?

No. All password generation happens entirely in your browser using JavaScript. Your passwords are never sent to our servers or stored anywhere. Once you close the page, they're gone forever.

What is the difference between a password and a passphrase?

A password is a random string of characters (e.g., "xK9#mL2$pQ"). A passphrase is a sequence of random words (e.g., "correct-horse-battery-staple"). Passphrases are easier to memorize while still providing strong security through length and randomness.

When should I use a PIN instead of a password?

PINs are best for devices and services that only accept numeric input — phone lock screens, ATM codes, voicemail access, and two-factor authentication backup codes. For online accounts, always prefer a full password or passphrase.

What does "exclude ambiguous characters" mean?

Ambiguous characters are those that look similar and can be confused: lowercase L (l) vs number 1, uppercase I vs lowercase L, uppercase O vs number 0. Excluding them makes passwords easier to read and type manually.

How long should my password be?

We recommend at least 16 characters for strong security. Longer passwords (20-32 characters) are even better, especially for critical accounts like email, banking, or password managers. The extra length makes brute-force attacks exponentially harder.

Can I use this tool offline?

Yes! Once the page loads, our PWA (Progressive Web App) allows you to generate passwords completely offline. No internet connection required.

What is CSPRNG and why does it matter?

CSPRNG stands for Cryptographically Secure Pseudo-Random Number Generator. Unlike Math.random() which is predictable, CSPRNG produces truly random numbers that are mathematically impossible to predict. This is critical for password security.

How is password strength calculated?

Strength is calculated using Shannon entropy — the number of bits of randomness in the output. It accounts for the character pool size and length. The meter shows the bit count and a qualitative label (Weak, Fair, Strong, Very Strong).

Password, Passphrase & PIN Generator

Generate cryptographically secure passwords, memorable passphrases, or numeric PINs. Uses the Web Crypto API (CSPRNG) for true randomness. 100% client-side — nothing leaves your browser.

Last updated: 2026-03-19

Generated Output

Count: 1

Generation Mode

Advanced Modifiers

Exclude Ambiguous CharactersRemoves l, 1, I, O, 0, o, | for better readabilityLeet Speak SubstitutionsRandomly replaces characters (a→@, s→$, e→3, etc.) with ~50% probability

Append Random Numbers: 0

Append Random Symbols: 0

How to Use

Choose a mode: Random Password for maximum entropy, Passphrase for memorability, or PIN for numeric codes.
Configure options: Adjust length, character types, word count, or separator based on your needs.
Apply modifiers: Optionally enable leet speak, exclude ambiguous characters, or append extra digits/symbols.
Generate & Copy: Click Generate, review the strength indicator, and copy to clipboard.

Key Features

Cryptographically secure randomness (Web Crypto API / CSPRNG)
Three modes: Random Password (8-128 chars), Passphrase (3-15 words), PIN
220-word built-in dictionary for memorable passphrases
Six separator options including random numbers/symbols between words
Leet speak substitution with randomized probability
Entropy-based strength meter with bit count
Exclude ambiguous characters (l, 1, I, O, 0)
Append random digits or symbols to any output
100% client-side — zero data sent to servers
Works offline (PWA compatible)

Frequently Asked Questions

Is this truly secure?

Yes. All randomness comes from crypto.getRandomValues(), a CSPRNG provided by your browser. It is the same source used by password managers and TLS. We never use Math.random().

Are passwords stored or transmitted?

No. Everything runs in JavaScript in your browser. No network requests, no server storage. Close the tab and the password is gone forever.

What is entropy and why does it matter?

Entropy measures unpredictability in bits. A 20-character password with uppercase, lowercase, numbers, and symbols has ~131 bits — meaning an attacker would need 2¹³¹ guesses. 80+ bits is considered strong.

Password vs Passphrase — which is better?

Both can be equally secure. A 5-word passphrase from a 220-word list gives ~38 bits, while a 20-character random password gives ~131 bits. Use passphrases when you need to remember or type them; use random passwords with a password manager for maximum security.

What does leet speak do?

It randomly substitutes letters with visually similar characters (a→@, s→$, e→3). Each character has a ~50% chance of substitution, so the output varies every time. This adds visual complexity but doesn't significantly increase entropy against informed attackers.

Can I use this offline?

Yes. Once the page loads, it works entirely offline. No internet required.

Useful Utilities