A private generator with a clear boundary
This free random password generator creates strong, secure passwords on your device using the browser’s Web Crypto API. It does not require an account, does not generate passwords on a server, does not upload generated passwords, and does not include generated passwords in analytics or advertising events.
PwdGen works in modern browsers including Chrome, Edge, Safari, Firefox, and current mobile browsers that expose Web Crypto. If Web Crypto is unavailable, the generator fails closed instead of silently falling back to insecure randomness.
Trust at a glance
- Private by design: passwords are generated and evaluated in the current browser session.
- Cryptographically secure randomness: random choices come from
crypto.getRandomValues(), notMath.random(). - No server-side password generation: PwdGen does not need to receive the generated value to create it.
- Clear methodology: the security methodology explains rejection sampling, entropy estimates, and limits.
- Transparent privacy policy: the privacy page explains what is and is not collected.
How to use it safely
- Choose a length accepted by the service. For a password used as the only login factor, prefer at least 15 or 16 characters.
- Keep uppercase letters, lowercase letters, and numbers enabled. Add symbols when the destination service accepts them.
- Generate a different password for every account.
- Save the result in a trusted password manager instead of reusing or memorizing a predictable pattern.
- Enable MFA or a passkey whenever the service offers it.
For a deeper walkthrough, read how to create a strong password, compare how long a password should be, and learn how password managers, MFA, and passkeys work together.
You can also browse the password tools hub, the password security guides, or the browser support page.
Why the default score is medium
The tool keeps the existing 10-character default for compatibility, but it does not label that default “strong.” Length is one of the most important controls against password guessing. A 15–19 character result is labeled strong, while 20 or more characters can be labeled very strong when the selected character pool is sufficiently broad.
Random password generator options
Choose a length from 6 to 64 characters and generate 5, 10, or 20 passwords at once. You can include uppercase letters, lowercase letters, numbers, and symbols, or exclude similar characters such as 0, O, 1, I, and l. Every result includes at least one character from each enabled character source.
What local generation does not protect against
Local generation cannot stop phishing, malicious browser extensions, device malware, keyloggers, unsafe clipboard managers, or someone watching a shared screen. After copying, the password may remain in the operating system clipboard until another value replaces it. Treat the generated value as a secret as soon as it appears.
Verify the claim yourself
Open your browser developer tools, select the Network panel, clear the request list, and then regenerate, change settings, and copy a password. Those actions should not produce Fetch, XHR, or Beacon requests containing the password. The implementation uses crypto.getRandomValues() and rejection sampling instead of Math.random() or biased modulo selection.