Is this password generator secure?

Yes. Every character is selected using crypto.getRandomValues with rejection sampling to avoid bias, which is the browser's cryptographically secure random source. It never uses Math.random, which is predictable and unsafe for secrets.

How long should my password be?

Aim for at least twelve characters, and sixteen or more for important accounts. Length matters more than complexity, because each extra character multiplies the number of guesses an attacker must try.

What does excluding ambiguous characters do?

It removes look-alike characters such as zero and capital O, or the digit one and lowercase l, so the password is easier to read and type from a screen or printout without transcription errors. This slightly reduces the character pool.

Does the generator guarantee each selected set appears?

Yes. When you require multiple character sets, the tool places at least one character from each enabled set, then fills the rest randomly and shuffles, so the result always satisfies the policy.

Is the password sent anywhere?

No. Generation happens entirely in your browser using the Web Crypto API. No password is logged, transmitted, or stored on any server, so it is safe to generate credentials here.

Strong Password Generator

A strong password is long and drawn from a large, unpredictable character pool. The biggest single mistake password tools make is using Math.random, which is fast but predictable — completely unsuitable for secrets. This generator uses the Web Crypto API, builds each password from cryptographically secure random bytes, and lets you match any site’s policy: set the length and choose which character sets to include, with an option to drop look-alike characters so the password is easy to type. Everything runs in your browser.

How it works

The generator assembles a character pool from the sets you enable, then samples from it without bias:

Build the pool from the enabled sets — uppercase, lowercase, numbers, symbols — optionally removing ambiguous characters like 0, O, 1, l, and I.
For each position, pick a character using crypto.getRandomValues with rejection sampling, which discards values that would skew the distribution so every character is equally likely.
To satisfy a policy, place one character from each required set first, fill the remaining positions from the full pool, then shuffle the whole string with a Fisher-Yates shuffle so the guaranteed characters are not predictably positioned.

Rejection sampling matters: naively taking a random byte modulo the pool size makes lower-indexed characters slightly more common, which subtly weakens the password. This tool avoids that.

Choosing a strong policy

Length beats complexity. A 16-character lowercase password is far harder to crack than an 8-character password with every symbol. Prefer longer.
Use a password manager so length is never a usability problem — you never type these by hand.
Excluding ambiguous characters is for the rare cases where you must read or type the password manually; it trims the pool slightly, so add a character or two to compensate.

No password generated here is transmitted or stored anywhere — it exists only in your browser until you copy it.