ruxox
Start
Start
Security / Passwords

Password Generator

Generate strong, cryptographically random passwords in your browser. Customise length, character sets, and quantity. Your passwords never leave this tab.

Password Generator

Runs entirely in your browser — no server calls, no tracking.

Click Generate passwords to begin.

🔒 Your data never leaves this tab. This tool has no backend.

About this tool

About the Password Generator

This tool generates passwords using crypto.getRandomValues() — the browser's cryptographically secure pseudo-random number generator. It is the same entropy source used by password managers and security tools. The passwords are generated entirely in your browser; they are never transmitted, logged, or stored anywhere.

What makes a password strong?

Password strength is measured in bits of entropy. An 8-character password using all four character sets (95 printable ASCII characters) has log₂(95⁸) ≈ 52 bits of entropy — weak by modern standards. A 20-character password with the same character set has ≈131 bits — extremely strong. Length matters far more than complexity. A 20-character lowercase-only password is significantly stronger than an 8-character mixed-case password.

How to use generated passwords

Use a password manager (Bitwarden, 1Password, KeePass) to store generated passwords — never write them down or reuse them. For service accounts and API keys, prefer passwords of 32+ characters. For user-facing resets, 16–20 characters with all character sets is a good balance between strength and usability in most UI flows.

For systems that reject special characters, uncheck Symbols to generate an alphanumeric-only password. The tool recalculates immediately when you change options, so you can preview the character set before generating.

FAQ

Frequently asked questions

Is it safe to use browser-generated passwords?
crypto.getRandomValues() is a CSPRNG — the same underlying entropy source used by TLS key generation and OS-level random number generation. It is safe for generating passwords. The risk is not generation quality but storage: always use a password manager rather than writing generated passwords down.
Why is length more important than complexity?
Password strength = entropy = log₂(character_set_size ^ length). Increasing length multiplies entropy exponentially. Adding one character type (going from 62 to 95 chars) increases entropy by about 0.6 bits per character. Adding one character increases entropy by log₂(95) ≈ 6.6 bits. For the same effort, longer passwords are always stronger.
What length should I use for different use cases?
User accounts: 16–20 characters. Service accounts and SSH keys: 32+ characters. Encryption passphrases (where humans type them occasionally): consider a 6-word passphrase instead of a random string — equal or higher entropy and more typeable. API keys and secrets: 32–64 alphanumeric characters (no symbols) to avoid encoding issues.
What is the difference between random and cryptographically random?
A standard pseudo-random number generator (like Math.random()) is seeded from a predictable state and produces predictable sequences if the seed is known. A CSPRNG like crypto.getRandomValues() uses hardware entropy sources (CPU timing jitter, OS entropy pools) to produce values that cannot be predicted even with knowledge of previous outputs. Always use CSPRNG for security-sensitive generation.
Custom software

Need secure authentication built for your app?

ruxox builds production-grade auth systems, API security, and access control. Free scoping estimate in 48 hours.