Random Password Generator | Web Crypto, No Weak Fallback

SecurityRuns in Your Browser (No Uploads)

Generate one random password from browser Web Crypto with an 8-to-128-character bound, explicit character sets, optional ambiguous-character removal, and an optional requirement to include every selected set. Indexes use rejection sampling and every-set mode conditions a uniform combined-alphabet sample instead of inserting biased mandatory characters. The displayed search-space size describes only the selected generator policy, while storage, reuse, phishing, server hashing, clipboard exposure, MFA, and destination compatibility remain separate responsibilities.

What to do next

Continue with a related workflow or open the next tool that usually follows this task.

How to Use This Tool

Check the destination's supported length and symbol rules. For a password-only login, prefer at least 15 characters; the 8-character lower bound exists for MFA and legacy compatibility, not as a universal recommendation.

Select the character sets the destination accepts. Keep several sets enabled when compatible, but do not treat composition as a substitute for length and uniqueness.

Leave ambiguous-character exclusion on when the password may be read or typed manually, or turn it off when the exact larger alphabet is acceptable.

Enable the every-selected-set option only when the receiving service requires it. Generation remains uniform within that conditional output space.

Generate the value, reveal it only when necessary, and confirm the length and conditional search-space estimate without interpreting the estimate as an account security score.

Save the unique result directly in a reputable password manager. Verify the complete value at the destination, enable MFA or a passkey where available, and remove temporary clipboard or downloaded plaintext copies.

When to Use This Tool

Unique website account passwords

Create a different long value for a new account, save it immediately in a password manager, and add MFA or a passkey rather than memorizing or reusing it.

Temporary administrative credentials

Generate a temporary database or administrator login password, transfer it through an approved secret channel, require rotation, and keep authorization and audit controls separate.

Router and Wi-Fi passphrases

Choose a service-supported alphabet and length for a router or Wi-Fi network, then change vendor defaults and protect access to the management interface.

Encrypted archive handoff

Create a random password for a password-protected archive only after confirming the archive format, key derivation, recipient workflow, and secure password handoff.

Non-production test accounts

Generate disposable credentials for an isolated test environment without copying real production passwords, then remove the account and secret when the test ends.

Common Mistakes

Reusing one generated password

A random password loses much of its value when copied to several accounts. Generate a different value for every account and keep it in a reputable password manager instead of a shared note, spreadsheet, chat, or source file.

Treating character variety as a security score

Uppercase, digits, and symbols may satisfy an old service rule, but composition alone does not prove security. Length, uniqueness, blocked-password checks at the verifier, rate limiting, MFA, recovery controls, and phishing resistance all matter.

Reading search-space bits as account safety

The displayed bit value measures the number of outputs allowed by the selected generator policy. It does not account for phishing, malware, keylogging, a compromised password manager, server-side hashing, credential stuffing, or account recovery.

Ignoring the receiving service

Some sites reject particular symbols, silently trim long values, normalize characters, or cap the field below the displayed maximum. Confirm the service rule and verify that the complete value was accepted before signing out.

Leaving plaintext copies behind

Reveal, clipboard, screenshots, shell history, browser extensions, password-manager capture, and the downloaded plaintext file can expose a value even though generation does not upload it to SimpleWebUtils. Clear or securely store temporary copies.

Examples

New password-only account

The output is illustrative; each run returns a different value. Store the generated result in a password manager and do not reuse it.

Input
Length 20; lowercase, uppercase, numbers, symbols; exclude ambiguous; require every selected set
Output
v7@qR4!nZ8#cW3%tK6_m

Service that rejects punctuation

Use a restricted alphabet only when the destination rejects symbols, then compensate with a longer service-supported length.

Input
Length 24; lowercase, uppercase, numbers; symbols off; exclude ambiguous; require every selected set
Output
K7v9nQ4xR8m3cW6tZ2p5yH9s

Temporary credential handoff

A temporary administrator password still needs a protected handoff, forced rotation, MFA, and an audit trail. A generated value is not an access-control workflow by itself.

Input
Length 32; all sets; exclude ambiguous; require every selected set
Output
x8#Vq4!nR7@cW3%tK6_mZ9?fH2+sY5d4

How unbiased browser password generation works

The browser source is crypto.getRandomValues(), which the Web Cryptography specification defines as cryptographically strong random values. The tool catches source failure and returns no output; Math.random() is never a fallback.

Each character index is drawn from a 32-bit unsigned value. Values above the largest exact multiple of the active alphabet size are discarded before modulo reduction, avoiding the modulo bias that occurs when 2^32 is not divisible by the alphabet size.

When every selected set is required, the engine generates a complete string uniformly from the combined alphabet and rejects any string missing a set. Conditioning a uniform sample this way keeps all accepted strings equally likely, unlike inserting required characters and shuffling with biased indexes.

The conditional output count is calculated exactly with inclusion-exclusion over the selected disjoint character sets. Its base-2 logarithm is shown as search-space bits. This is a generator-policy measurement, not an online crack-time estimate or overall account rating.

The range is 8 through 128 whole characters and the default is 20. NIST SP 800-63B-4 recommends a minimum of 15 for single-factor passwords, allows a minimum of 8 when the password is part of MFA, says verifiers should permit at least 64, and advises against verifier composition rules.

Normal generation stays in browser memory and analytics records only aggregate option metadata, not the result. Clipboard, reveal, download, screenshots, browser extensions, device security, password-manager storage, transit to the destination, and verifier-side hashing remain outside this generator's protection.

Frequently Asked Questions

How is the random value generated?

Generation requires crypto.getRandomValues(). Every character index is selected with rejection sampling, so leftover Uint32 values are discarded instead of reduced with a biased modulo operation. If Web Crypto is missing or fails, the tool returns no password and does not fall back to Math.random().

How long should I make a password?

The default is 20 characters. NIST SP 800-63B-4 says a single-factor password verifier should require at least 15 characters, while a password used as part of MFA may be at least 8, and verifiers should permit at least 64. A service can impose a different supported range, so use the longest unique value it accepts and store it in a password manager.

What does excluding ambiguous characters remove?

It removes 0, O, o, 1, I, and l from the selected sets so a value is easier to transcribe. The fixed symbol set does not include the vertical bar. Removing characters reduces the alphabet slightly, and the displayed search-space estimate accounts for that.

Should I require every selected character set?

It is a compatibility option for services that demand at least one character from every enabled set. The engine samples complete strings uniformly from the combined alphabet and rejects strings missing a selected set. NIST advises verifiers not to impose composition rules; length, uniqueness, blocklists, rate limits, MFA, and password-manager support are more important controls.

Is the search-space bit estimate a strength score?

It is log2 of the exact number of strings allowed by the selected policy, including the every-set condition when enabled. It describes this generator's output space, not password reuse, server storage, online guessing limits, phishing, malware, recovery, or overall account security.

Is the generated password uploaded or stored?

The generated value is not sent to a SimpleWebUtils application server during normal use. Only aggregate option metadata such as length and enabled-set count may be measured. The value still exists in browser memory and can be exposed by display, clipboard, downloads, screenshots, extensions, device compromise, or the site where you use it.

Can I use this output as an API or encryption key?

A password is a human-account credential, not a replacement for an API key, OAuth token, encryption key, recovery code, or cryptographic key generated under that system's own format and lifecycle. Use the destination platform's purpose-built generator for those secrets.

How This Tool Was Verified

Maintained and tested by Reviewed

Method: For “Enroll a password-only account that accepts at least 64 characters”, we entered the documented fixture in Random Password Generator and followed “Prepare a trusted generation and storage environment” before “Save before submitting and label the record precisely”. We compared the browser result with the stated output, then reviewed “Recording the password as deployment evidence” and “Trusting a successful submit without a fresh sign-in” as separate failure boundaries.

Expected result: The 24-character candidate met every selected character-set rule and the verified 15–64 character service limit; the workflow recorded the rules, not the generated secret, as evidence.

Sources and standards

Open the tested workflow

Related workflow guides

Use these focused guides when you need a practical workflow before opening the tool.

Workflow guide

Review a password candidate without false assurance

A password meter can reject obvious patterns, but it cannot certify an account. This workflow limits testing to new or synthetic candidates, prepares a trusted browser environment, checks the complete value without silent trimming, interprets zxcvbn scores and guess orders as rough model output, treats NIST length checkpoints as verifier requirements, performs breach monitoring and service controls separately, and records only non-secret decisions. The outcome is either reject and regenerate, accept provisionally for one account, or escalate to the destination's security policy without ever placing the tested value in a ticket, screenshot, analytics field, or shared note.

Workflow guide

Generate test fixtures without copying production data

Representative fixtures preserve the shape and constraints of production records without preserving real people, identifiers, or secrets. This workflow inventories a target schema, generates only bounded valid values, adds deliberate minimum, maximum, duplicate, empty, and malformed cases, validates the exported encoding in the real importer, and saves stable fixtures when tests must be reproducible.

Workflow guide

Create and store a unique password without plaintext leftovers

A random generator solves only the value-selection step. A reliable password workflow begins with the real service contract, uses a trusted device and a unique long value, saves the result in a password manager before submission, verifies that the destination accepted the complete value, enables phishing-resistant authentication where possible, records recovery material separately, removes clipboard and downloaded plaintext, and retains enough evidence to recover or revoke access without reusing the secret.

Related Tools

Continue with another maintained workflow

Browse All Tools