Example
Options
Length: 16 Upper / lower / digits / symbols: all on Count: 5
Output (5 passwords)
kP9$mNxL2#vQ8wRt B7@nFcZj5!hMqXyP T3Hd&bGw9eVuKsRn A8qN!fEc4uYmWxLp J6$kPwHt7@bVnRdM
Note
Uses `crypto.getRandomValues` — cryptographically secure unlike plain `Math.random`. Nothing leaves memory beyond your clipboard copy.
Usage / FAQ
When to use
- Generate strong temporary passwords on the fly
- Create API keys, seed phrases, or DB credentials
- Need a strong password when 1Password / Bitwarden isn't handy
- One-off passwords for test accounts
- When you want strong randomness, not a memorable passphrase
FAQ
- Q.What does it use instead of Math.random?
- A.The Web Crypto API's `crypto.getRandomValues`, backed by the OS CSPRNG. Math.random is predictable and unsuitable for security.
- Q.Are generated passwords saved on a server?
- A.No. Everything is in-browser; reloading the page wipes memory. Move good passwords to a password manager (1Password, Bitwarden) immediately.
- Q.Can I exclude lookalikes (0/O, l/1)?
- A.Yes, if the option is exposed. Excluding lowers entropy slightly, so bump the length by 1-2 to compensate.
Fun facts
NIST flipped its official position in the 2017 revision of SP 800-63B: enforced complexity rules *create weaker* passwords. Requirements like 'one uppercase + one symbol' nudge users toward predictable patterns (`Password1!`) that actually reduce entropy. Length first, no forced expiration — that's the current guidance.
NIST SP 800-63BXKCD #936 (2011) — 'correct horse battery staple' — made the case that a 4-word passphrase is both stronger *and* easier to remember than `Tr0ub4dor&3`. It instantly became a security-industry reference: equal entropy, but a more human-friendly distribution wins in practice.
XKCD #936A 16-character fully random password (charset 94) carries ~96 bits of entropy — every computer on Earth combined can't brute force it before the heat death of the universe. Eight characters? A single high-end GPU finishes in hours against SHA-256. Eight extra characters change the equation.
Wikipedia — Password strength
Related guides
Related tools
- Base64 Encode / Decode
Encode text to Base64 or decode Base64 back to text. Runs entirely in your browser, no data sent to any server.
- URL Encode / Decode
Percent-encode text for safe use in URLs, or decode percent-encoded URLs back to text. Runs entirely in your browser.
- UUID / ULID Generator
Generate UUID v4 (random), UUID v7 (time-ordered, RFC 9562), or ULID identifiers — all client-side via crypto.
- JWT Decoder
Decode the header and payload of a JSON Web Token. Signature is not verified (a public key is required). The token is processed entirely in your browser.
- JWT Encoder (HMAC)
Generate a signed JSON Web Token with HS256/HS384/HS512 (HMAC-SHA). Payload and secret stay in your browser — Web Crypto API based.
- SHA Hash
Compute SHA-1, SHA-256, SHA-384, or SHA-512 hash of text. Uses the browser's Web Crypto API; no data is sent to any server.
- Hex Encode / Decode
Encode text to hexadecimal or decode hex back to text. Supports UTF-8 multi-byte characters and tolerates whitespace.
- HTML Entity Encode / Decode
Encode HTML special characters (&, <, >, ", ') to entities, or decode named/numeric entities back to text.
- Number Base Converter
Convert numbers between bases (binary/octal/decimal/hex/base36) using BigInt for large integers. Auto-detects 0b/0o/0x prefixes.
- URL Parser
Decompose a URL into protocol, host, path, query parameters, and hash — read-only inspection.
- HMAC Generator
Compute HMAC (Hash-based Message Authentication Code) with SHA-1/256/384/512 using the Web Crypto API.
- HMAC Verify
Verify whether a given HMAC signature matches the message + secret. Constant-time comparison via Web Crypto API.
- MD5 Hash
Compute MD5 hash for text. Note: MD5 is broken for security — checksums and legacy compatibility only.
- Punycode (IDN)
Convert international domain names to/from Punycode (xn-- encoded ASCII). Uses native URL parser.
- HTTP Status Codes
Browse and search HTTP status codes (1xx-5xx) with descriptions and common usage.
- User-Agent Parser
Parse User-Agent strings into browser, OS, device, and engine fields.
- Bcrypt Hash
Hash passwords with Bcrypt or verify a plaintext against an existing hash. Configurable salt rounds.
- Cookie Parser
Parse Cookie or Set-Cookie strings into a table. Decode percent-encoded values. Supports Set-Cookie attributes (Path/Domain/Max-Age/SameSite/HttpOnly/Secure).
- IP / CIDR Calculator
Compute network address, broadcast, host range, mask, and host count from an IPv4 + CIDR.
- cURL Builder
Build cURL commands from URL/method/headers/body. Auto-detects JSON content-type.