Because compute() must be pure — same inputs always produce the same output, including the displayed passwords. That makes the tool auditable. To get a different batch, change the seed (or any other input — every change reseeds the generator).

How long should my password be?

NIST SP 800-63B recommends a minimum of 8 characters and 15+ for high-assurance accounts. For master passwords and encryption keys aim for 24+. Length is the most-impactful single factor.

Does every password contain every class I picked?

Yes — the generator places one character from every enabled class before filling the rest, then shuffles. So you never get an "all lowercase" password by chance when you enabled upper, digit, and symbol too.

What is "avoid look-alikes"?

Drops 0/O/o and 1/l/I/i so passwords that get transcribed by eye (e.g. from a phone to a desktop) do not get misread. Reduces the pool size by ~7 chars, costing about 0.4 bits of entropy per character — usually worth it if a human is going to type the password.

Is the password sent to a server?

No. All generation is local. The password never leaves your browser tab.

Because compute() must be pure — same inputs always produce the same output, including the displayed passwords. That makes the tool auditable. To get a different batch, change the seed (or any other input — every change reseeds the generator).

How long should my password be?

NIST SP 800-63B recommends a minimum of 8 characters and 15+ for high-assurance accounts. For master passwords and encryption keys aim for 24+. Length is the most-impactful single factor.

Does every password contain every class I picked?

Yes — the generator places one character from every enabled class before filling the rest, then shuffles. So you never get an "all lowercase" password by chance when you enabled upper, digit, and symbol too.

What is "avoid look-alikes"?

Drops 0/O/o and 1/l/I/i so passwords that get transcribed by eye (e.g. from a phone to a desktop) do not get misread. Reduces the pool size by ~7 chars, costing about 0.4 bits of entropy per character — usually worth it if a human is going to type the password.

Is the password sent to a server?

No. All generation is local. The password never leaves your browser tab.

Random Password Generator

Generate strong, deterministically-seeded passwords. Pick length, character classes, and bulk-count. All client-side — passwords never leave the browser.

Result

10 passwords × 16 chars

t~dB{7[KwC,f8,o=

Entropy ≈ 103.6 bits — change the seed to refresh.

Generated passwordst~dB{7[KwC,f8,o= rr{4WgIlate8fIq+ B+KNvPa}c=j:47Z@ iY4_LwUkVV8EF:~5 Q]3.[@9TRCzf2GIx dHj.^6[Tc>2s%zpn ()7M#b1AdP[X7W8m u6h4n0;iNJI3xRdY X:^1Hv+P3,Q/IZLb jy+Yr2vQ7kl%@30K
Character pool89 unique chars (lower + upper + digit + symbol)
Entropy per password103.6 bits
NIST minimum (memorised secret)✓ ≥ 15 chars

Source: NIST SP 800-63B Digital Identity Guidelines (Memorized Secret Verifiers) §5.1.1.

Note — Deterministic seeding gives reproducibility for code review of the generator — but for production passwords, pick one and store it in a password manager. Do NOT share the seed.

Step-by-step

Build pool from selected classes (size = 89).
For each password: seed mulberry32 with (seed × 1000 + index), guarantee one char from each enabled class, fill to length, then Fisher-Yates shuffle.
Entropy = length × log₂(pool) = 16 × 6.476 = 103.6 bits.

How to use this calculator

Pick a length. 16 is a good default for site logins; 24+ for master passwords or encryption keys.
Toggle the character classes — keep all four on for maximum entropy unless the target site rejects symbols.
Optional: enable "avoid look-alikes" if the password will be transcribed by eye.
Pick any one of the candidates and put it in your password manager. Discard the others.
Change the seed (or any other input) to refresh.

About this calculator

A good password manager generates passwords for you; this tool exists for the moments when you do not have one handy. Pick a length, the character classes you want, and how many candidates to generate. Output is deterministic on the seed — increment to refresh — so the tool itself can be reviewed for correctness (no surprise weak passwords because of some hidden RNG state). 16 random characters from the full pool gives ~104 bits, well above the NIST threshold for everything short of cryptographic keys.

How it works — the formula

pool = union(enabled_classes); entropy = length · log₂(|pool|)
for each password: seed mulberry32, guarantee one char per enabled class, fill to length, Fisher–Yates shuffle

Brute-force resistance is dominated by the size of the character pool and the password length. Mixing classes only matters insofar as it increases the pool; the most-impactful single setting is length. Forcing one character from each enabled class loses a trivial amount of entropy but prevents the awkward "the random one came out all lowercase" edge case.

Sources: NIST SP 800-63B (2024) — Memorized Secret Verifiers · OWASP Authentication Cheat Sheet — Password Strength · EFF Diceware

Worked examples

Example 1

16-char, all 4 classes

Inputs:: length=16, lower/upper/digit/symbol=yes
Output:: ~104.3 bits (pool 95)

Example 2

20-char alphanumeric

Inputs:: length=20, symbol=no
Output:: ~119.0 bits (pool 62)

Example 3

24-char no-look-alikes

Inputs:: length=24, avoidAmbiguous=yes, all classes
Output:: ~155 bits (pool 88)

Limitations

Deterministic — for true CSPRNG randomness use your password manager. This generator is reproducible by design (for review and education).
No real-world dictionary check; entropy is an upper bound.
Symbol set is the common printable-ASCII subset; if a site rejects specific symbols you may need to retry with different inputs.

Store generated passwords in a manager — do not memorise from a screenshot. The seed is NOT a secret, but the chosen password IS.

Frequently asked

The pool selection is rigorous; the PRNG is deterministic mulberry32 keyed off your seed. For cryptographic key material use a CSPRNG-backed generator (every password manager has one). For ordinary website logins, a 16-char generated password here is overkill compared to the average attacker.