How the generator works
Every password is built one character at a time from the pool of characters you enable. The tool draws each character with crypto.getRandomValues, the same cryptographically secure random source browsers use for encryption keys, and uses rejection sampling so every character in the pool is equally likely — there is no bias toward the start of the alphabet the way naive Math.random() code often has. Because the generation happens on your device, no password is ever transmitted, logged, or stored anywhere.
What password strength actually means
The strength meter reports entropy in bits, calculated as length multiplied by the base-2 logarithm of the pool size. Entropy measures how many guesses an attacker would need on average to find your password by brute force. Each additional bit doubles the work: a 40-bit password can fall to a modern GPU cluster in hours, while an 80-bit password would take longer than the age of the universe at billions of guesses per second. As a rule of thumb, aim for at least 75 bits for anything that matters, which a 16-character password using all four character sets comfortably exceeds.
Length beats complexity
Adding one character to a password increases its entropy far more than swapping a letter for a symbol. A 20-character password of only lowercase letters is stronger than an 8-character password crammed with symbols, because the extra length multiplies the search space exponentially. That is why this tool lets you slide the length all the way to 64 characters. For passwords you have to type by hand, the excluding look-alikes option removes the visually confusing characters (capital I, lowercase l, the digit 1, capital O, zero, lowercase o) so you never fat-finger a login.
Using a password manager
The safest way to use generated passwords is to never memorize them. Store each one in a reputable password manager and let it autofill on the sites you visit. That way every account gets a different high-entropy password, so a breach at one site cannot cascade into the rest of your digital life. This generator pairs perfectly with that workflow: generate, copy, paste into the manager, done. Reserve memorized passphrases only for the handful of master credentials you actually type.
Privacy and security notes
This generator runs entirely in your browser. Nothing you generate is sent to a server, saved to a cookie, or recorded in any log — refresh the page and every trace is gone. That local-only design is what makes a web-based password tool trustworthy: there is simply no channel through which a generated secret could leak.