Super Simple Digital ToolsFree online tools & calculators

Password Generator

Generate strong, random passwords in your browser — with live strength and entropy. Nothing is ever sent to a server.

Your password
Very weak0 bits of entropy

Passwords are generated entirely in your browser with crypto.getRandomValues and are never sent anywhere.

How to use the Password Generator

  1. Set the length. Drag the slider to choose how many characters your password should have — longer is stronger.
  2. Pick character types. Turn lower-case, upper-case, numbers and symbols on or off, and optionally exclude ambiguous characters.
  3. Copy it. Hit Copy to send the generated password to your clipboard, or Regenerate for a new one.

Why use our Password Generator

Cryptographically secure. Passwords use the browser's crypto.getRandomValues — true CSPRNG randomness, not Math.random().
Fully private. Everything happens on this page. Your password is never transmitted, logged or stored on a server.
Tune every detail. Set the length and toggle lower-case, upper-case, numbers, symbols and ambiguous characters.
See the strength. A live strength rating and entropy estimate (in bits) update with every change.

Free to use — premium coming soon

FREE
  • Unlimited passwords
  • Custom length & character sets
  • Live strength & entropy
  • One-click copy
PREMIUM
  • Remove ads
  • Bulk password generation
  • Passphrase mode

About the Password Generator

This password generator builds strong, random passwords directly in your browser using the Web Crypto API's crypto.getRandomValues, the same operating-system randomness source used for security-sensitive work. You choose the length and which character sets to include (lowercase, uppercase, digits, symbols), and the tool assembles a password by drawing each character from the pool without bias. As you adjust the controls, a live readout shows the password's entropy in bits and a plain-language strength label, so you can see exactly how a longer length or an extra character set changes the math rather than guessing.

Reach for this tool whenever an account, database, Wi-Fi network, or encryption key deserves a unique secret you will never reuse. Random passwords are valuable precisely because they have no pattern: there is no birthday, pet name, or keyboard walk for an attacker to guess, so the only route in is brute force across the full key space. It pairs well with a password manager, which removes the need to memorize the result. The optional 'exclude ambiguous characters' switch drops look-alikes such as l, 1, I, O, and 0, which is handy when a password may be read aloud, typed on a phone, or transcribed from a screen.

Strength is measured with entropy, calculated as length multiplied by the base-2 logarithm of the character-pool size. A 12-character password drawn from the full 94-character printable-ASCII set carries roughly 78 bits of entropy, while 16 characters from the same pool exceeds 100 bits and is far beyond practical brute-force reach. Including more character types enlarges the pool, but adding length usually buys more strength per keystroke, which is why modern guidance favors longer passwords over short, complex ones. The bit count shown updates instantly as you change settings, giving you a concrete target instead of a vague 'weak/strong' guess.

Privacy is built into how this tool works: every password is generated locally in your browser and is never sent to our servers, logged, or stored. The output exists only in your tab's memory and on your clipboard until you clear it, so closing the page disposes of it. This matters because a generated secret should never travel over a network where it could be intercepted or retained. Note that crypto.getRandomValues produces cryptographically secure randomness, unlike Math.random, which is predictable and unsafe for passwords; using the secure source is what makes the entropy figures shown here meaningful rather than cosmetic.

Frequently asked questions

How long should my password be?

For important accounts, aim for at least 16 characters; current NIST guidance recommends a minimum of 8 and suggests 15 or more, allowing passphrases up to 64 characters. Longer is reliably stronger, so when a site permits it, increase the length before worrying about adding more symbol types.

Are the passwords this tool generates truly random?

Yes. They are produced with the browser's crypto.getRandomValues, which draws from your operating system's cryptographically secure random number generator. That is far safer than Math.random, whose output can be predicted and should never be used for passwords.

What does the entropy figure in bits actually mean?

Entropy estimates how many guesses an attacker would need on average to find your password, calculated as length times log2 of the character-pool size. Roughly, 60-80 bits is strong and 80+ bits is very strong; each extra bit doubles the guessing effort required.

Why would I exclude ambiguous characters?

Look-alikes such as the lowercase l, uppercase I, digit 1, uppercase O, and digit 0 are easy to confuse when a password is read aloud, typed on a phone, or copied from a screen. Excluding them slightly shrinks the character pool but prevents transcription errors.

Is it safe to generate a password on a website?

With this tool, yes, because generation happens entirely in your browser and the password is never transmitted or stored on our servers. The result stays in your tab and clipboard, so it is wise to save it in a password manager and then clear your clipboard afterward.

From our blog

Base64 Encoding and Decoding: A Practical Guide for Developers

By the Super Simple Digital Tools Team · Updated June 2026

If you have ever opened a raw email source, peeked inside a JSON Web Token, or seen a giant string of letters where an image should be, you have met Base64. It is one of the most quietly ubiquitous tools in computing, yet it is also one of the most misunderstood. The short version: Base64 is a way to represent any sequence of bytes using a small, safe set of text characters so that data can travel through systems that only expect text. Understanding it removes a lot of mystery from logs, APIs, and config files.

The motivation is historical and still practical. Many foundational protocols, email transport being the canonical example, were built to carry plain ASCII text. Feed them raw binary, or even certain control characters, and bytes get dropped, altered, or interpreted as commands. Base64 sidesteps this by re-expressing the data using only 64 universally safe characters. The encoder groups the input into 24-bit chunks and slices each chunk into four 6-bit pieces, mapping each piece to one character from the alphabet A-Z, a-z, 0-9, plus + and /. The decoder simply reverses the process.

Knowing when to use Base64 matters as much as knowing how. It shines for email attachments, small inline images and fonts in CSS via data: URIs, embedding binary blobs in JSON or XML, and packing values into tokens. It is a poor fit for large files on the web: a data: URI inflates the asset by a third and forces the browser to parse a huge string, so a normal file URL and a separate request usually win. As a rule, use Base64 to make data portable, not to store or shrink it, and never as a security measure.

The most common bug developers hit is character encoding. In the browser, the built-in btoa() function only accepts characters in the Latin1 range, so the moment you feed it an emoji or a non-Latin letter it throws an error. The fix is to convert the string to UTF-8 bytes first, then Base64-encode those bytes, and to reverse both steps on decode. This tool does exactly that under the hood, so a paste containing any language or symbol round-trips faithfully instead of silently producing garbled output.

When you decode, treat unexpected results as a clue rather than a failure. A string that will not decode cleanly is often Base64URL (using - and _ instead of + and /), is missing its = padding, or has stray whitespace and line breaks from being wrapped in an email or config file. Strip the noise, restore the padding so the length is a multiple of four, and convert the variant if needed. With the encoding understood, what looked like a wall of random characters becomes plainly readable data again.

  • Use Base64URL (- and _ in place of + and /) whenever the string goes into a URL, query parameter, filename, or JWT, since + and / are not URL-safe.
  • Remember the string length is always a multiple of four; if a decode fails, check for missing = padding or stray line breaks copied in from email or config files.
  • Avoid Base64-encoding large images or files for the web. The 33% size increase and parsing cost usually outweigh the saved HTTP request beyond a few kilobytes.
  • Never store secrets as Base64 thinking it hides them. It is trivially reversible, so encrypt sensitive data and use Base64 only for safe transport.

Read the full guide →

Tool by the Super Simple Digital Tools Team. Reviewed by our editorial team. Free to use, no signup required.

Related tools

Password Strength TesterWord CounterQR Code GeneratorCase ConverterJSON FormatterBase64 Encoder / Decoder