Is this password generator truly random?

Yes. ToolMint uses the Web Crypto API (crypto.getRandomValues) — a cryptographically secure pseudo-random number generator (CSPRNG) built into browsers. It does not use Math.random().

What is password entropy and why does it matter?

Entropy (measured in bits) represents how unpredictable a password is. Higher entropy means more combinations an attacker must try. 60+ bits is generally considered strong; 100+ bits is very strong.

What is a passphrase and why use one?

A passphrase is a sequence of random words (e.g. river-table-flame-book) that is both memorable and highly secure. Four or more random words can reach 50+ bits of entropy while being easier to type and recall than a random character string.

What does 'exclude ambiguous characters' do?

It removes characters that look similar in many fonts — 0, O, I, l, 1, and others — reducing the chance of transcription errors when typing a password manually.

Are generated passwords sent to a server?

No. All randomness is generated client-side using the Web Crypto API. No password ever leaves your browser.

Password Generator – Strong Passwords & Passphrases with Entropy Score

Create cryptographically secure passwords (up to 128 characters) or memorable passphrases in your browser. Customize character sets, exclude ambiguous characters, set word count and separators, and generate up to 20 at once. Every password is scored with Shannon entropy in bits so you see exactly how strong it is.

Strength: Very Weak0 bits of entropy · 0 chars

Options

Length20

4128

Exclude ambiguous (0 O I l 1 |)

Exclude custom characters

Generate count5

Generated Passwords

🔐

Cryptographically Secure

Uses the Web Crypto API (crypto.getRandomValues) for true randomness.

🚀

Instant & Offline

Everything runs locally in your browser. No passwords are ever sent to a server.

⚙️

Fully Customizable

Adjust length, character sets, exclusions, and generate passwords or passphrases.

Included Password Tools

Random Password Generator

Up to 128 characters with uppercase, lowercase, digits, symbols, custom exclusions, and ambiguous-character filtering.

Passphrase Generator

Word-based passphrases with 3–12 words and a choice of separator: dash, dot, underscore, space, or none.

Entropy & Strength Meter

Shannon entropy shown in bits with a 5-tier rating: Very Weak, Weak, Fair, Strong, Very Strong.

Bulk Password Generation

Generate and copy up to 20 passwords or passphrases at once with a single Regenerate click.

How to Generate a Strong Password

Choose Password or Passphrase

Select the Password tab for character-based passwords or Passphrase for memorable word-based passwords.

Customize settings

Adjust length (4–128 chars), toggle character sets, exclude ambiguous characters, or set a word count and separator for passphrases.

Generate

Click Regenerate to create a fresh list. Use the count slider to generate up to 20 at once.

Copy & use

Copy individual passwords or all at once. The entropy meter shows the strength in bits so you know exactly how secure each one is.

Password Entropy: How to Measure How Strong a Password Really Is

Password entropy is measured in bits and represents the number of possible combinations an attacker would need to try to crack a password by brute force. The formula is: entropy = log₂(character set size ^ password length). A 12-character password using only lowercase letters (26 chars) has log₂(26¹²) ≈ 56 bits of entropy. The same 12 characters using uppercase + lowercase + digits + symbols (94 chars) gives log₂(94¹²) ≈ 79 bits. General guidelines: below 40 bits is weak and crackable quickly with modern hardware; 60–80 bits is strong for most accounts; 100+ bits is very strong and impractical to crack even with significant computing resources. Length increases entropy more efficiently than adding character types: a 20-character lowercase password (94 bits) is stronger than a 12-character mixed-charset password (79 bits). The entropy meter in this generator shows the exact bit count so you can make an informed choice rather than guessing.

Passphrases vs Passwords: Which Should You Use?

Passphrases — sequences of random words like cloud-bridge-falcon-river — have two advantages over traditional random-character passwords: they are easier to remember and type, and they can be longer (more entropy) without being harder to use. A 4-word passphrase drawn from a 7,776-word wordlist has log₂(7776⁴) ≈ 51 bits of entropy. A 5-word passphrase reaches ≈ 64 bits — equivalent to a 12-character random string with full charset. For accounts you need to type from memory (laptop login, password manager master password, Wi-Fi password), passphrases are generally the better choice. For accounts where you copy-paste from a password manager, a fully random 20-character string is equally strong and slightly more compact. The key rule for both: never reuse. Use a different password or passphrase for every account. If one site is breached, unique passwords ensure the attacker cannot access your other accounts.

Frequently Asked Questions

Is this password generator truly random?: Yes. ToolMint uses the Web Crypto API (crypto.getRandomValues) — a cryptographically secure pseudo-random number generator (CSPRNG) built into browsers. It does not use Math.random().
What is password entropy and why does it matter?: Entropy (measured in bits) represents how unpredictable a password is. Higher entropy means more combinations an attacker must try. 60+ bits is generally considered strong; 100+ bits is very strong.
What is a passphrase and why use one?: A passphrase is a sequence of random words (e.g. river-table-flame-book) that is both memorable and highly secure. Four or more random words can reach 50+ bits of entropy while being easier to type and recall than a random character string.
What does 'exclude ambiguous characters' do?: It removes characters that look similar in many fonts — 0, O, I, l, 1, and others — reducing the chance of transcription errors when typing a password manually.
Are generated passwords sent to a server?: No. All randomness is generated client-side using the Web Crypto API. No password ever leaves your browser.

Developer Tools