Password Generator
Generate a strong random password or a memorable passphrase. Built on your browser's cryptographic random number generator, so nothing is predictable and nothing leaves your device.
Generated on your device with your browser's cryptographic random number generator. Never transmitted or stored.
Random password or passphrase?
Both are strong when they are long enough; the difference is how they are used. Random passwords like the ones on the left pack the most strength per character, which makes them ideal for accounts stored in a password manager where you never type them by hand. Passphrases string together random words, trading a little length for something a human can actually memorize. They are the right choice for the handful of secrets you must carry in your head: your computer login, your phone backup, your password manager's master password.
What to do with a new password
Use each generated password for exactly one account. If you are cleaning up old reused passwords, start with the accounts that matter most: your primary email first (it can reset everything else), then banking, then anything with a saved payment card. While you are at it, check whether your current password has already leaked with our password breach checker, and turn on two-factor authentication for the accounts that support it.
Frequently Asked Questions
Are these passwords really random?
Yes. The generator uses your browser's built-in cryptographic random number generator (crypto.getRandomValues), the same source used for encryption keys. Passwords are created on your device and are never transmitted, stored, or logged anywhere.
Should I use a random password or a passphrase?
For passwords saved in a password manager, use long random passwords since you never have to remember them. For the few passwords you must memorize, like your computer login or the manager itself, a passphrase of five or more random words is easier to recall and still very strong.
How long should my password be?
At least 16 characters for everyday accounts, and 20 or more for anything critical like email or banking. Every account should get its own unique password, because a breach at one site is immediately tried against every other popular service.