A private generator with a clear boundary
Passwords are generated on this device by your browser using the Web Crypto API. The generator does not send, log, or save generated passwords. Regenerating, changing settings, selecting results, and copying do not create password-bearing network requests.
How to use it safely
- Choose a length accepted by the service. For a password used as the only login factor, prefer at least 15 or 16 characters.
- Keep uppercase letters, lowercase letters, and numbers enabled. Add symbols when the destination service accepts them.
- Generate a different password for every account.
- Save the result in a trusted password manager instead of reusing or memorizing a predictable pattern.
- Enable MFA or a passkey whenever the service offers it.
Why the default score is medium
The tool keeps the existing 10-character default for compatibility, but it does not label that default “strong.” Length is one of the most important controls against password guessing. A 15–19 character result is labeled strong, while 20 or more characters can be labeled very strong when the selected character pool is sufficiently broad.
What local generation does not protect against
Local generation cannot stop phishing, malicious browser extensions, device malware, keyloggers, unsafe clipboard managers, or someone watching a shared screen. After copying, the password may remain in the operating system clipboard until another value replaces it. Treat the generated value as a secret as soon as it appears.
Verify the claim yourself
Open your browser developer tools, select the Network panel, clear the request list, and then regenerate, change settings, and copy a password. Those actions should not produce Fetch, XHR, or Beacon requests containing the password. The implementation uses crypto.getRandomValues() and rejection sampling instead of Math.random() or biased modulo selection.