What makes a password strong?
Length matters more than complexity. A 20-character password from a 70-symbol alphabet has ~123 bits of entropy — that's more secure than a 10-character password from any practical alphabet you can build. Add character sets only to satisfy site requirements; length is the real lever.
How this generator works
Each character is picked uniformly at random from your chosen alphabet using
crypto.getRandomValues — the browser's cryptographically secure
random source. We use rejection sampling to avoid modulo
bias, so the output is genuinely uniform. No Math.random()
anywhere.
About "exclude similar"
Drops 0 O 1 l I from the alphabet. Useful when you have to
read the password aloud or type it from a screen. Costs about 0.5 bits of
entropy per character — negligible.
Entropy guide
- Under 28 bits — weak. Brute-forceable on a laptop.
- 28–60 bits — fair. Resists casual attacks but not a determined adversary.
- 60–90 bits — strong. Effectively unbreakable for personal accounts.
- 90+ bits — overkill but cheap. Use for password-manager master passwords.
Is my data private?
Yes. Passwords are generated entirely in your browser. Nothing is sent over the network. You can disconnect from the internet after the page loads and it still works.