Password generator

Randomness. Every byte comes from crypto.getRandomValues — the browser's cryptographically secure generator, seeded by the operating system that backs TLS keys and session tokens.

Bias-free mapping. Bytes are mapped to your character set using rejection sampling — any byte that doesn't fit an exact multiple of the alphabet size is discarded and re-rolled. Without this, the distribution would skew toward earlier characters, weakening every password.

Character sets. Toggle uppercase, lowercase, digits, and a curated symbol set independently. Each enabled set contributes its full range to the sampling alphabet.

Easy to read. Strips characters that look alike in most fonts — 1/l/I/i, 0/O/o, 5/S/s, 2/Z/z, 8/B, 6/G, 9/q — so the password is unambiguous when read aloud or typed by hand. The alphabet shrinks, which lowers entropy slightly; bump the length up a few characters to compensate.

Strength. Entropy is calculated as log₂(alphabet) × length and bucketed into a label: < 40 bits is Very weak, < 60 is Weak, < 80 is Decent, < 256 is Strong, and ≥ 256 is Very strong. For reference, 80 bits is comfortable for everyday accounts, 128 bits resists well-funded offline attackers, and 256 bits matches an AES-256 key. The label reflects this math only — it does not check against dictionaries or breach lists, because the generator only ever produces uniformly random output.

Privacy. Passwords are generated in your browser and never leave it. Nothing is sent to any server, nothing is stored, and closing the tab destroys the output.