How to Create a Strong Password (Free & Private)
A strong password is your first line of defence, but the ones people invent by hand tend to follow patterns that attackers already know. The safest passwords are long and truly random — which is exactly what a generator is for. This one runs entirely in your browser using the Web Crypto secure random generator, so nothing you create is ever uploaded or stored.
The tool
Password Generator
Step by step
- Open the generatorGo to the Password Generator — it runs in your browser, with no install or sign-up.
- Choose a lengthDrag the length slider anywhere from 4 to 64. Length matters more than anything else — aim for 16 or more characters for accounts you care about.
- Pick your character typesToggle uppercase, lowercase, numbers, and symbols. Turning on all four gives you the widest pool of characters and the highest entropy.
- Exclude ambiguous characters (optional)If you’ll be typing the password by hand, switch on “exclude ambiguous characters” to drop look-alikes like l, 1, I, O, and 0.
- Copy and store itWatch the live strength meter, then copy your password and save it straight into your password manager — don’t try to memorise it.
What actually makes a password strong
Length is the single biggest factor. Every extra character multiplies the number of guesses an attacker has to make, so a long password beats a short-but-complicated one almost every time — aim for at least 16 characters.
After length comes variety. Mixing uppercase, lowercase, numbers, and symbols widens the pool each character is drawn from, which the strength meter reflects as more bits of entropy.
Why randomness matters
Passwords you make up yourself lean on habits — a favourite word, a birthday, a keyboard pattern — and those are the first things cracking tools try. Real randomness removes the patterns entirely.
This tool draws every character from the browser’s cryptographic random generator (crypto.getRandomValues) using unbiased sampling, so no character is more likely than any other. That’s far stronger than anything you’d pick by hand.
The “exclude ambiguous characters” option
Some characters are easy to confuse when read or typed: the lowercase l, the number 1, the capital I, the capital O, and the number 0. If you’ll ever type a password manually — say into a TV or a device without a manager — turning this option on removes those look-alikes so you don’t fumble it.
For passwords that live only in a password manager and get pasted automatically, you can leave it off and keep the full character set for maximum entropy.
Use a unique password everywhere
The biggest real-world risk isn’t a weak password — it’s a reused one. When one site is breached, attackers try that same email-and-password combination everywhere else, so a single leak can unlock many accounts.
Generate a fresh, unique password for every account and store them in a password manager. You only have to remember one master password; the manager remembers the rest and fills them in for you.
Private by design
Everything happens on your device. The password is generated locally in your browser and is never sent to a server, logged, or saved anywhere by us.
If you want to verify that, open your browser’s network tab while you generate a password — you’ll see no upload of the value you created.
Frequently asked questions
Is it free?
Yes — completely free, no sign-up, and no limits on how many passwords you generate.
Is my password private?
Yes. It’s generated entirely in your browser and never uploaded or stored — you can confirm this in your browser’s network tab.
How long should my password be?
Aim for at least 16 characters for important accounts. Length is the biggest factor in strength, so longer is better whenever a site allows it.
Should I memorise my passwords?
No — use a different random password for every account and store them in a password manager. Reusing passwords is the most common way accounts get compromised.