Secure Password Generator: free, offline, cryptographically random
Generate strong passwords directly in your browser with one click. 32 characters by default, cryptographically secure randomness (CSPRNG), no server roundtrip, no storage, no tracking.
Uses crypto.getRandomValues with rejection sampling so every allowed character has exactly the same probability.
Copied
Strength: ...
...
Length
Recommended: 20+ characters for sensitive accounts
Uppercase letters (A bis Z)
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
Lowercase letters (a bis z)
a b c d e f g h i j k l m n o p q r s t u v w x y z
Digits (0 bis 9)
Every digit, including 0, with exactly equal probability (rejection sampling, no modulo bias).
Useful when the password is typed on both QWERTZ and QWERTY keyboards.
Exclude ambiguous characters
Removes e.g. l 1 I O 0, helpful when typing the password by hand.
Settings are not saved
How random is "random"? This generator uses your browser's Web Crypto API (CSPRNG) and a rejection sampling routine that avoids the typical modulo bias. As a result, every allowed character, whether A, z, 5 or 0, has exactly the same probability of appearing. No network communication takes place at all.
What sets this password generator apart
Many online generators create passwords on the server side (the password leaves your machine) or use Math.random(), which is not cryptographically secure. Both are unsuitable for real security.
True randomness:crypto.getRandomValues provides cryptographically reliable numbers, paired with rejection sampling to defeat modulo bias.
Fully offline: no fetch, no third-party script, no CDN, no cookies, no LocalStorage.
Single file: just HTML, CSS and JavaScript. You can save the page and use it without internet.
Transparent: the source is visible and readable (right click, "View page source").
No storage: once you close the tab the password is gone, no history, no traces.
How to choose a truly strong password
Most important rule first: length beats complexity. A long password is mathematically more secure than a short one with lots of symbols.
At least 16 characters for normal accounts, 24 to 32 characters for email, banking, master passwords and server access.
One unique password per service. If a provider gets breached, your other accounts stay safe.
Use a password manager (e.g. KeePassXC, Bitwarden, 1Password). You only need to remember one strong master password.
Never reuse the same password and never build by pattern (e.g. Summer2024!); dictionary attacks crack those in seconds.
How long would an attacker need to crack it?
In an offline attack (the attacker has a leaked password hash and tries every combination locally), modern GPU rigs can run roughly 1 trillion attempts per second (against weak hashes like MD5 or SHA-1). Strong hashes like bcrypt or Argon2 are much slower, but we calculate conservatively here.
Length
Character set
Combinations
Crack time (1T/s)
8
lowercase only
2 · 1011
0.2 seconds
8
letters + digits
2 · 1014
3 minutes
12
letters + digits
3 · 1021
100 years
16
letters + digits
5 · 1028
1.5 billion years
20
letters + digits
7 · 1035
10²² years
32
letters + digits (default)
2 · 1057
effectively unlimited
Values rounded, based on 62 possible characters (a to z, A to Z, 0 to 9) and 10¹² attempts per second.
Frequently Asked Questions
Is this password generator really secure?
Yes. We use only the Web Crypto API (crypto.getRandomValues), the cryptographically secure random number generator (CSPRNG) provided by the browser. On top of that, rejection sampling is used to avoid the typical modulo bias seen in other implementations, so every allowed character has exactly the same probability of appearing.
Are my passwords stored or transmitted?
No. The entire generation runs locally in your browser. There are no network requests, no cookies, no LocalStorage and no logs.
How long should a secure password be?
16 characters with mixed character sets is enough for normal online accounts. For critical access like email, banking or master passwords we recommend 24 to 32 characters. The default in this generator is 32 characters, which gives more than 190 bits of entropy and is robust even against future attacks.
Do I really need symbols?
Not strictly. Length beats complexity: a 24-character password of letters and digits is significantly more secure than an 8-character one with symbols. Symbols are useful when the service requires them or limits length.
What does the "Include Y and Z" option mean?
On German QWERTZ keyboards y and z are swapped compared to English QWERTY keyboards. If you sometimes type passwords on English keyboards, you can optionally exclude these letters to avoid typos.
What are "ambiguous characters"?
Characters like l, 1, I, O and 0 look very similar in some fonts. If you're typing a password from paper or a screen, it helps to exclude these characters.
Does the password generator work offline?
Yes. After the first load you can use the page without an internet connection. You can save the page locally via "Save as" and keep using it.
Which browsers are supported?
All modern browsers (Chrome, Firefox, Edge, Safari, Brave, Opera) from around 2017 onwards. The only requirement is support for the Web Crypto API.
All KernelHost Products
Need more than just tools? Take a look at our commercial hosting lineup.