OnSumo Tools

Secure Password Generator

This tool generates cryptographically random passwords entirely in your browser. Choose your length, character types (uppercase, lowercase, digits, symbols), and exclusion rules, and the tool produces a password using the Web Crypto API's crypto.getRandomValues(). No password is stored, logged, or sent to any server. The tool is free, requires no login, and works offline once the page loads.

Passwords are generated in your browser and are never saved or sent to a server. Copy them into your password manager right away.

Generated passwords

  • g2Tr5Ok|BL#H;&|9@mxD
Strength: Very strong129.2 bits

Charset size: 88 · Estimated crack time at 1012 guesses/s: 245950005194667070 centuries

How this tool works

The password generator creates random passwords using the browser's window.crypto.getRandomValues, a cryptographically secure pseudo-random number generator (CSPRNG). You configure the character set by enabling or disabling four classes: uppercase letters (A-Z, 26 characters), lowercase letters (a-z, 26 characters), digits (0-9, 10 characters), and symbols (!@#$%^&*()-_=+[]{}|;:,.<>?, 32 characters). Password entropy is calculated in real time: Entropy (bits) = Length x log2(Character Pool Size). A 16-character password using all four character classes (pool = 94) has approximately 104.6 bits of entropy. NIST SP 800-63B recommends a minimum of 8 characters for general accounts; 16+ characters with a full character set is appropriate for high-value targets. Key assumption: all passwords are generated and displayed locally. Nothing is transmitted to any server. Close the browser tab after copying the password to prevent it from remaining in browser memory or history. Edge case: legacy systems sometimes reject symbols or restrict the allowed symbol set to a specific subset. Use the symbols whitelist input to enter only the symbols the target system accepts. Narrowing the symbol pool reduces the character pool size and therefore reduces entropy -- the tool recalculates and displays the new entropy immediately, so you can increase the password length to compensate.

Worked example

At length 20 with uppercase, lowercase, numbers, and symbols, the pool has about 94 characters, which is roughly 131 bits of entropy. That is far beyond what brute force can crack at trillion-guess speeds.

Related tools

Frequently asked questions

  • Is the password truly random?

    Yes. The tool uses crypto.getRandomValues(), which is a cryptographically secure pseudorandom number generator (CSPRNG) provided by the browser. It draws entropy from the operating system's random number generator, which collects randomness from hardware events like disk timing, mouse movements, and interrupt timing. This is the same source of randomness used by TLS, SSH key generation, and other security-critical operations.

  • Is the generated password stored anywhere?

    No. The password exists only in your browser's memory and on your screen. It is not written to disk, not sent over the network, and not stored in any database. When you close or navigate away from the tab, the password is gone. If you need to keep it, copy it to your password manager immediately.

  • How long should my password be?

    For accounts protected only by a password (no two-factor authentication), use at least 16 characters with all character types enabled. This gives you over 100 bits of entropy. For high-value targets like email, banking, or cloud provider root accounts, use 20 or more characters. For passwords that protect encryption keys (like a KeePass master password), 24 or more characters is a reasonable minimum.

  • What is password entropy?

    Entropy measures the number of possible combinations an attacker would need to try in a brute-force attack, expressed in bits. A password with N bits of entropy has 2^N possible values. Every additional bit doubles the search space. 80 bits is generally considered the minimum for security; 128 bits is considered strong against all current and near-future attacks.

  • Should I include symbols in my password?

    Including symbols increases the character set from 62 (letters + digits) to 95 (adding 33 printable symbols), which increases entropy per character from 5.95 bits to 6.57 bits. For a 16-character password, that is the difference between 95.2 bits and 105.1 bits of entropy. However, some systems restrict which symbols are allowed. If a system rejects your password, try excluding the specific symbols it does not accept.

  • Can I exclude ambiguous characters like 0/O and 1/l?

    Yes. Enable the \\\"Exclude ambiguous\\\" option to remove characters that look similar in many fonts: 0, O, o, 1, l, I, |. This is useful when the password needs to be read aloud over a phone call or typed manually from a printout. The tradeoff is a slightly smaller character set and marginally lower entropy per character.