acento.io
Text utility

Password Generator

Create strong, random passwords instantly — 100% client-side, so the password never leaves your browser.

By Carlos Suárez , Systems engineer
Last updated:

What this password generator does

This English-language password generator creates cryptographically random passwords directly in your browser using the Web Crypto API — the same standard your browser uses to secure HTTPS connections. Every character is drawn with crypto.getRandomValues() and rejection sampling to eliminate modulo bias, so no position is statistically more likely than another. 100% client-side — your data never leaves your browser. No uploads, no tracking, no server logs. Most online random password generators send your configuration to a server, meaning the result is technically visible to server logs and CDN caches. Here, generation happens entirely on your device. You also get a live entropy meter measured in bits, so you see exactly how hard your password is to brute-force — not a vague label, but a real number grounded in information theory.

Features

  • Cryptographically secure randomness. Uses crypto.getRandomValues() with rejection sampling — not Math.random(), which is deterministic and unsuitable for secrets. The result meets the entropy requirements described in NIST 800-63B.
  • Live entropy meter in bits. The entropy display updates as you change length and charset options, giving you a concrete measure (e.g. 82 bits) instead of a color-coded guess. At 128 bits you're beyond the reach of any realistic brute-force attack.
  • Flexible charset controls. Toggle lowercase, uppercase, digits, and symbols independently. Enable 'Exclude ambiguous' to drop characters like 0, O, 1, l, and I that are easy to misread in print — at a small entropy cost that you can compensate by adding length.
  • Configurable length from 8 to 128. Short passwords for throwaway accounts, long ones for disk-encryption passphrases. NIST 800-63B recommends prioritizing length over forced complexity rules — a 20-character random password beats an 8-character one with mandatory symbols every time.
  • No-consecutive-repeat mode. Prevents the same character from appearing back-to-back. Useful when a service rejects repeated characters, though it reduces entropy slightly — the meter reflects this automatically.
  • One-click copy. Hit Copy and the password goes straight to your clipboard. The button confirms with 'Copied' so you know it worked before navigating away.

How to use the password generator

Set your options, click Generate, then copy. If you need a quick token from the command line instead, openssl rand -base64 12 works well for short secrets.

  1. Set the length. Drag the slider or type a number. For a password manager master password, aim for 20+ characters. For an SSH key passphrase, 24–32 is a reasonable floor.
  2. Choose your charset. Enable or disable lowercase, uppercase, digits, and symbols. Watch the entropy meter — adding symbols to a short password adds less entropy than simply increasing the length.
  3. Enable exclusions if needed. Turn on 'Exclude ambiguous' if you'll ever need to read the password aloud or type it from a printout. The entropy drop is small; add two or three characters of length to compensate.
  4. Generate and copy. Click Generate password. A new cryptographically random password appears instantly. Click Copy, then paste it into your password manager or target field.
  5. Repeat freely. Every click produces a fresh independent password. Generate as many as you need — nothing is stored, logged, or transmitted anywhere.

Common use cases

  • Master passwords for password managers. A password manager is only as strong as its master password. Generate a 24-character random password here, write it on paper stored securely, and never reuse it anywhere else.
  • SSH and server passphrases. When provisioning a new server in Austin or London, you need a passphrase that survives a dictionary attack. A 20+ character random password with mixed charsets is far stronger than any memorable phrase.
  • API tokens and webhook secrets. When a service lets you set your own webhook secret rather than generating one, use this tool for a 32-character random string. You can also use Array.from(crypto.getRandomValues(new Uint8Array(16)), b => b.toString(16).padStart(2,'0')).join('') directly in your Node.js setup script for the same effect.
  • Throwaway and test account passwords. Even for a forum account you'll use once, a weak password is a liability if you reuse it. Generate a random one, let your browser save it, and move on. If you also need filler text for form testing, our [lorem ipsum generator](/en/lorem-ipsum-generator/) pairs well for that.
  • Disk encryption and recovery keys. Full-disk encryption keys should be long, random, and stored offline. Generate a 32-character password, print it, and keep it separate from the device it protects.

Frequently asked questions

Does this tool send my password to a server?

No. Generation runs entirely in your browser using the Web Crypto API. Nothing is transmitted, logged, or cached. You can disconnect from the internet before clicking Generate and it still works. This is the core difference from most online password generators, where server access logs technically record what was requested.

Why does the tool show entropy in bits instead of 'strong' or 'weak'?

Strength labels like 'strong' are relative and often misleading. Entropy in bits is a precise measure: 40 bits means roughly a trillion possible combinations; 80 bits puts brute-force out of reach for any realistic attacker. NIST 800-63B uses this framing explicitly, recommending length over complexity rules precisely because bits of entropy is the honest metric.

Is Math.random() safe for generating passwords?

No. Math.random() is a pseudorandom number generator seeded from system state — it is fast but predictable to an attacker who knows the seed or the engine's internal state. Always use crypto.getRandomValues() for anything security-sensitive. The distinction is the same reason your bank doesn't shuffle a deck of cards to generate your PIN.

Does excluding ambiguous characters make my password weaker?

Slightly — dropping characters like 0, O, 1, l, and I reduces your effective charset size, which lowers entropy by roughly 5–10 bits depending on your settings. The live entropy meter reflects this immediately. Compensate by adding two or three characters of length; the readability trade-off is usually worth it if you ever need to type the password manually.

How long should a secure password be?

For most accounts, 16 characters from a mixed charset gives you around 100 bits of entropy — well beyond practical brute-force. For master passwords or encryption keys, 24–32 characters is a sensible target. NIST 800-63B is explicit: length is more important than complexity rules that force symbols but allow short passwords.

What is modulo bias and why does it matter?

When you map random bytes to a charset using the modulo operator (byte % charsetSize), characters at the start of the charset appear slightly more often when the charset size is not a power of two. This creates a statistical skew an attacker can exploit. This generator uses rejection sampling — bytes that would introduce bias are discarded and redrawn — so every character position is truly uniform.