The TextKit Password Generator creates random passwords from a character set you control. Set the length from 6 to 64 characters, toggle uppercase, lowercase, numbers, and symbols on or off, optionally strip ambiguous characters (O, 0, I, l, 1, |), and get a fresh password every time you click shuffle. A strength badge tells you at a glance whether your settings produce a weak, good, or strong password.
Strong passwords are the single most important layer of account security, and the research is unambiguous: length matters more than complexity, randomness matters more than memorability, and unique passwords per site matter more than either. This tool is built for everyday users, developers, and IT folks who need a strong random password fast — for a new account, a shared resource, a test database, or a security reset.
How to use this tool
- Set the length. Drag the slider between 6 and 64 characters. Longer is stronger — 16 is a sensible default for most accounts.
- Toggle character types. Tick uppercase, lowercase, numbers, and symbols on or off. At least one of each type is recommended for sites with complexity rules.
- Optionally exclude ambiguous characters. Tick 'No ambiguous' to strip O, 0, I, l, 1, and | — useful for passwords people will read aloud or type from printouts.
- Copy and use. Click copy to grab the generated password. Store it in a password manager — never reuse it across accounts.
How it works
The generator builds a character pool from the sets you've selected — uppercase (26 letters A–Z), lowercase (26 letters a–z), digits (10, 0–9), and a symbol set of 32 printable ASCII punctuation characters. If you tick “No ambiguous”, six look-alike characters (O 0 I l 1 |) are stripped from the pool to prevent transcription errors. The total pool size ranges from 26 (lowercase only) to 94 (all four sets, ambiguous included).
For each of the N positions in your password, the generator picks one character uniformly at random from the pool using Math.floor(Math.random() * pool.length). Uniform random selection is critical — it means every character in the pool is equally likely at every position, which is what gives the password its entropy. (More on randomness source in a moment.)
Entropy is the technical measure of a password's strength, expressed in bits. The formula is entropy = length × log₂(pool_size). For a 16-character password drawn from the full pool of 94 characters: 16 × log₂(94) = 16 × 6.55 ≈ 104.9 bits. For comparison, an 8-character password from the same pool is 8 × 6.55 ≈ 52.4 bits, and a 12-character one is 78.7 bits. Each additional character adds about 6.55 bits — roughly a doubling of cracking time per character.
To put those numbers in perspective: a password with 50 bits of entropy can be cracked by an offline attack (10 billion guesses per second, feasible with a modern GPU rig) in a few days. A 60-bit password takes years. A 78-bit password takes hundreds of thousands of years. A 105-bit password is effectively uncrackable by brute force with any foreseeable classical hardware. This is why security guidance has shifted from “use complex characters” to “use long passwords” — length wins.
The strength badge uses a simple, conservative rule: Strong if the password is at least 16 characters long and includes both symbols and numbers; Good if it's at least 12 characters; Weak otherwise. This rule intentionally rewards length over complexity because, for most threat models, length is what matters. A 20-character lowercase-only password (~94 bits of entropy) is dramatically stronger than an 8-character password with every character type (~52 bits).
One honest caveat about the randomness source. The generator uses JavaScript's Math.random(), which is a fast pseudo-random number generator (PRNG) but is not cryptographically secure (CSPRNG). For most everyday purposes — test databases, shared resources, accounts that don't hold your most sensitive data — this is fine. For your highest-value accounts (banking, primary email, password manager master password), prefer a generator that uses crypto.getRandomValues(), such as the one built into your browser or password manager. The difference matters only if an attacker has compromised your browser session, but for crown-jewel accounts, the extra paranoia is worth it.
Who uses this tool
Generate a strong, unique password for each new account and store it in a password manager — never reuse passwords across sites.
Generate test credentials, database passwords for local dev, or API secrets without reusing the same password across environments.
Issue strong temporary passwords for new accounts and password resets, then force a change on first login.
Generate high-entropy secrets for service accounts, rotation tokens, or one-time shared access.
When a site you use is breached, generate a fresh replacement password immediately rather than reusing an old one.
Generate a strong password for a shared Wi-Fi network, a family streaming account, or a team tool.
Generate realistic-looking passwords for mockups, demos, and seed data without using real passwords.
Generate long, high-entropy secrets for database users, JWT signing keys, or API tokens where a passphrase isn't required.
Examples
The recommended default for most accounts. Effectively uncrackable by brute force.
Adequate for most accounts; would take hundreds of thousands of years to crack offline.
Weak. Crackable offline in hours. Use only for low-value throwaway accounts.
Length beats complexity — this is far stronger than any 8-character mixed password.
Tips & best practices
- Default to 16+ characters with all four character types — that's ~105 bits of entropy, well above the 80-bit threshold for strong security.
- Length beats complexity. A 20-character lowercase password is dramatically stronger than an 8-character password with every symbol.
- Use a different password for every account. Reusing one password means a single breach compromises every account that shares it.
- Store generated passwords in a password manager (1Password, Bitwarden, KeePass) — don't try to memorize them.
- For your most sensitive accounts (banking, primary email, password manager master password), use a password generated by your browser or password manager, which use a CSPRNG rather than Math.random().
- Enable two-factor authentication wherever possible — a strong password plus 2FA is dramatically harder to compromise than a strong password alone.
- If a site limits password length (some cap at 16 or 20), use the maximum allowed length and all character types.
Common mistakes to avoid
- Using 8-character passwords with every character type — at ~52 bits, this is crackable offline in days. Length matters more than complexity.
- Reusing the same password across multiple accounts — a single breach compromises every account that shares the password.
- Storing generated passwords in a plain text file, sticky note, or browser autofill on a shared device — use a real password manager.
- Assuming 'complex' means 'strong' — 'P@ssw0rd1!' has every character type but only ~33 bits of entropy because it follows a predictable pattern. Randomness is what creates entropy.
- Trusting Math.random() for crown-jewel accounts — for banking and email, use a CSPRNG-based generator (your browser or password manager has one built in).
“The single biggest password mistake I see is reuse, not weakness. People think a 'strong' password protects them, then use it on twenty sites. When one of those sites gets breached — and they will — every account that shares that password falls. Generate a unique password for every account, store it in a password manager, and turn on 2FA. The strength of any individual password matters far less than the habit of never reusing one.”
Frequently asked questions
▸Is this password generator safe to use?
For most everyday purposes, yes. The generator runs entirely in your browser — your passwords are never sent to a server. It uses Math.random(), which is a fast PRNG but not cryptographically secure. For your most sensitive accounts (banking, email, password manager master password), prefer a generator that uses crypto.getRandomValues(), such as the one built into your browser or password manager.
▸How long should my password be?
Aim for at least 16 characters with all four character types (upper, lower, digits, symbols) — that's about 105 bits of entropy, well above the 80-bit threshold for strong security. If a site caps password length, use the maximum allowed.
▸Does length or complexity matter more?
Length, by a wide margin. A 20-character lowercase password (~94 bits) is dramatically stronger than an 8-character password with every character type (~52 bits). Each additional character adds roughly 6.55 bits of entropy — about a doubling of cracking time.
▸How does the strength meter work?
Simple and conservative: Strong if the password is 16+ characters with both symbols and numbers; Good if it's 12+ characters; Weak otherwise. The rule intentionally rewards length over complexity because length is what actually resists brute force.
▸Why does the tool offer a 'No ambiguous' option?
It strips O, 0, I, l, 1, and | from the pool — characters that look alike and cause transcription errors when you read a password aloud or type it from a printout. Useful for shared passwords; not necessary for passwords stored in a password manager.
▸Should I memorize the generated password?
No — store it in a password manager. Memorizable passwords tend to be weak (short, predictable patterns). The exception is your password manager's master password, which should be a long passphrase rather than a random string.
▸Why shouldn't I reuse a strong password across sites?
Because breaches happen. When a site you use gets breached, the attacker gets the password and tries it on other sites. If you reused it, every account that shares it is compromised. Unique-per-site is more important than individual password strength.
▸Is Math.random() secure enough?
For most everyday uses — test databases, shared resources, accounts that don't hold your most sensitive data — yes. For crown-jewel accounts (banking, primary email, password manager master), use a generator built on crypto.getRandomValues() (your browser and password manager both have one). The difference matters only if your browser session is compromised, but for high-value targets, the extra paranoia is warranted.
Last reviewed and updated by Muhammad Umair. Have feedback or found an inaccuracy? Let us know.