Random Password Generator

Generate strong, deterministically-seeded passwords. Pick length, character classes, and bulk-count. All client-side — passwords never leave the browser.

Inputs

NIST SP 800-63B minimum 8; 15+ recommended for high-assurance accounts. Master passwords / encryption keys: 24+.

Bulk-generate up to 50 candidates at once. Pick the one you like; ignore the rest.

Useful when the password must be read aloud or typed off-screen.

Deterministic — same inputs produce the same passwords. Increment to refresh.

Result

Loading calculator…

How to use this calculator

  • Pick a length. 16 is a good default for site logins; 24+ for master passwords or encryption keys.
  • Toggle the character classes — keep all four on for maximum entropy unless the target site rejects symbols.
  • Optional: enable "avoid look-alikes" if the password will be transcribed by eye.
  • Pick any one of the candidates and put it in your password manager. Discard the others.
  • Change the seed (or any other input) to refresh.

About this calculator

A good password manager generates passwords for you; this tool exists for the moments when you do not have one handy. Pick a length, the character classes you want, and how many candidates to generate. Output is deterministic on the seed — increment to refresh — so the tool itself can be reviewed for correctness (no surprise weak passwords because of some hidden RNG state). 16 random characters from the full pool gives ~104 bits, well above the NIST threshold for everything short of cryptographic keys.

How it works — the formula

pool = union(enabled_classes); entropy = length · log₂(|pool|) for each password: seed mulberry32, guarantee one char per enabled class, fill to length, Fisher–Yates shuffle

Brute-force resistance is dominated by the size of the character pool and the password length. Mixing classes only matters insofar as it increases the pool; the most-impactful single setting is length. Forcing one character from each enabled class loses a trivial amount of entropy but prevents the awkward "the random one came out all lowercase" edge case.

Worked examples

Example 1
16-char, all 4 classes
Inputs:
length=16, lower/upper/digit/symbol=yes
Output:
~104.3 bits (pool 95)
Example 2
20-char alphanumeric
Inputs:
length=20, symbol=no
Output:
~119.0 bits (pool 62)
Example 3
24-char no-look-alikes
Inputs:
length=24, avoidAmbiguous=yes, all classes
Output:
~155 bits (pool 88)

Limitations

  • Deterministic — for true CSPRNG randomness use your password manager. This generator is reproducible by design (for review and education).
  • No real-world dictionary check; entropy is an upper bound.
  • Symbol set is the common printable-ASCII subset; if a site rejects specific symbols you may need to retry with different inputs.

Store generated passwords in a manager — do not memorise from a screenshot. The seed is NOT a secret, but the chosen password IS.

Frequently asked

Is this random enough for a production password?+
The pool selection is rigorous; the PRNG is deterministic mulberry32 keyed off your seed. For cryptographic key material use a CSPRNG-backed generator (every password manager has one). For ordinary website logins, a 16-char generated password here is overkill compared to the average attacker.
Why deterministic?+
Because compute() must be pure — same inputs always produce the same output, including the displayed passwords. That makes the tool auditable. To get a different batch, change the seed (or any other input — every change reseeds the generator).
How long should my password be?+
NIST SP 800-63B recommends a minimum of 8 characters and 15+ for high-assurance accounts. For master passwords and encryption keys aim for 24+. Length is the most-impactful single factor.
Does every password contain every class I picked?+
Yes — the generator places one character from every enabled class before filling the rest, then shuffles. So you never get an "all lowercase" password by chance when you enabled upper, digit, and symbol too.
What is "avoid look-alikes"?+
Drops 0/O/o and 1/l/I/i so passwords that get transcribed by eye (e.g. from a phone to a desktop) do not get misread. Reduces the pool size by ~7 chars, costing about 0.4 bits of entropy per character — usually worth it if a human is going to type the password.
Is the password sent to a server?+
No. All generation is local. The password never leaves your browser tab.

Related calculators

More tools you might like

Hand-picked tools that pair well with this one — same audience, same intent.