How does this password generator work?

This generator uses crypto.getRandomValues() from the Web Crypto API with rejection sampling to eliminate modulo bias, ensuring every character has an equal probability of selection. It guarantees at least one character from each selected character set, then shuffles with a crypto-secure Fisher-Yates algorithm to avoid positional bias.

Are generated passwords stored or transmitted?

No. This generator runs entirely client-side in your browser. No passwords are transmitted, stored, or logged on any server.

What is a Secret Key and when should I use it?

A Secret Key in this tool generates a base64url-safe string using characters A-Z, a-z, 0-9, -, and _. These are ideal for machine secrets, API keys, and .env variables because they work anywhere without escaping.

What is rejection sampling and why does it matter?

Rejection sampling eliminates modulo bias — a subtle flaw where some characters are selected slightly more often than others when mapping random numbers to a character pool. By discarding values that would cause bias and resampling, every character has a mathematically equal probability of being chosen.

Secure Password Generator | Crypto-Secure Random Passwords

Q: What makes a strong password?

A strong password has high entropy — a large number of possible combinations. The key factors are length (each additional character multiplies combinations), character diversity (using uppercase, lowercase, numbers, and symbols expands the pool), and true randomness from a cryptographic source. A 20-character password from a 93-character pool has roughly 130 bits of entropy.

What This Tool Does

Generates random passwords using crypto.getRandomValues() from the Web Crypto API.
Uses rejection sampling to eliminate modulo bias, ensuring every character in the pool has an equal probability of being selected
Guarantees at least one character from each selected character set, then shuffles with a crypto-secure Fisher-Yates algorithm to avoid positional bias
Calculates and displays real-time entropy in bits so you can gauge password strength against brute-force attacks
Generates base64URL encoded secrets that can be used as programmatic credentials

This generator runs entirely client-side. No passwords are transmitted, stored, or logged on any server.

What Makes a Strong Password

Password strength comes down to entropy, which is the number of possible combinations an attacker would need to try. A password with 128 bits of entropy would take billions of years to crack with current hardware.

There are a few key factors that determine entropy:

Length matters most. Each additional character multiplies the number of possible combinations. A 20-character password from a 93-character pool has roughly 130 bits of entropy, which is well beyond what brute-force attacks can touch.
Character diversity helps. Using uppercase, lowercase, numbers, and symbols expands the pool of possible characters. A password drawn from all four sets (93 characters) is significantly stronger than one using only lowercase letters (26 characters) at the same length.
Randomness is non-negotiable. A long password like aaaaaaaaaaaaaaaa has zero effective entropy because it's trivially guessable. True randomness from a cryptographic source is what turns length and diversity into actual security.
Avoid dictionary words and patterns. Attackers don't just brute-force; they use wordlists, common substitutions (like @ for a), and keyboard patterns. Randomly generated passwords sidestep all of these attack vectors.
Never reuse passwords. Even a strong password becomes a liability if it's used across multiple services. A breach on one site gives attackers the key to every other account using the same credentials. Use a unique password for every service and store them in a password manager.

What is a Secret Key

A secret key is a machine-generated credential used to authenticate services, sign tokens, and secure API communication. These should always come from a cryptographically random source, not a human-memorable string.

This tool generates secret keys using a base64url-safe character set: A-Z, a-z, 0-9, -, and _. Base64url characters are safe to use in .env files, HTTP headers, and URLs without escaping or encoding.

When generating a secret as an HMAC signing key, the key must meet a minimum bit-strength to match the algorithm's security level. HS256 requires at least 256 bits (43 characters), HS384 requires 384 bits (64 characters), and HS512 requires 512 bits (86 characters). The HMAC preset in Secret Key mode sets the slider to the correct minimum automatically.

Need to validate a JWT signed with your secret? Try using our JWT Validator.

References & Specifications

The following standards and resources are relevant to password security and authentication best practices:

NIST SP 800-63B-4 — Authentication & Authenticator Management Current federal standards for authentication, including updated password length requirements and the removal of arbitrary complexity rules.
OWASP Authentication Cheat Sheet Practical guidance on implementing secure authentication systems, including password policies.
OWASP Password Storage Cheat Sheet Best practices for securely hashing and storing passwords, including recommendations for Argon2, bcrypt, salting, and password verification.
RFC 4086 — Randomness Requirements for Security Defines what constitutes cryptographically strong randomness and why it matters for security applications.