How random are the passwords?

Every character is drawn with the browser Web Crypto API (crypto.getRandomValues), the same cryptographically secure random source used for keys and tokens. The tool uses rejection sampling so there is no modulo bias toward any character, and a Fisher-Yates shuffle when guaranteeing one character from each set.

What does the entropy figure mean?

Entropy in bits measures how many equally likely passwords your settings could produce — each extra bit doubles the search space. As a rule of thumb, under 28 bits is very weak, 50 to 72 bits is reasonable, and 100-plus bits is very strong against offline attacks. The meter recalculates instantly as you change length or character sets.

What is pronounceable mode for?

Pronounceable mode alternates consonants and vowels so the result reads like a made-up word you can say aloud and type from memory, then optionally sprinkles in a digit and symbol. It trades a little entropy for memorability, which is useful for passwords you must type often without a manager.

Are passphrases actually secure?

Yes. Four or five random words from a sizeable list reach 50 to 70 bits of entropy, which is stronger than most short symbol-heavy passwords while being far easier to remember. This tool builds passphrases from a curated 300-word list and can add a separator, capitalisation and a trailing number.

Should I exclude ambiguous characters?

Exclude them when a password will be read off a screen, dictated, or typed from a printout — it removes characters like uppercase I, lowercase l, the digit 1, uppercase O and zero that are easy to mix up. For passwords only ever pasted from a manager, leave them in to keep the character pool larger.

Is anything sent to a server or stored online?

No. The generator is 100 percent client-side: passwords are created in your browser and never transmitted. The optional session list and your settings are kept only in this browser local storage, which you can clear at any time with the Clear button.

Advanced Password Generator

The Advanced Password Generator creates strong, cryptographically random passwords entirely in your browser, with a live entropy and strength meter so you can see exactly how hard each result would be to crack. It is built for anyone who needs better passwords than a memorised favourite: developers seeding API credentials, admins rotating service accounts, or anyone tightening up the logins they reuse far too often. Three modes cover different needs — fully random strings for maximum strength, pronounceable strings you can read aloud and type from memory, and word-based passphrases that are both memorable and hard to guess.

How it works

Every character is drawn from the browser Web Crypto API using crypto.getRandomValues, the same secure random source browsers use for cryptographic keys. To avoid bias, the tool uses rejection sampling rather than a naive modulo, so each allowed character is equally likely. In random mode you choose any combination of uppercase, lowercase, digits and symbols, set the length with a slider, and optionally guarantee at least one character from each selected set — the result is then shuffled with a Fisher-Yates pass so the guaranteed characters are not stuck at the front. Turning on Exclude ambiguous removes look-alike characters such as I, l, 1, O and 0, which is handy when a secret has to be read off a screen or dictated.

The strength meter converts your settings into an entropy figure in bits — the base-2 logarithm of how many distinct passwords your configuration can produce — and maps that onto a coloured bar, a plain-English label, and a rough offline crack-time estimate based on a fast GPU making about ten billion guesses per second. Passphrase mode assembles words from a curated 300-word list with your choice of separator, capitalisation and a trailing number, while pronounceable mode alternates consonants and vowels for readability. Nothing you generate ever leaves the page.

Example

Suppose you need a strong API secret. Pick Random mode, set the length to 20, and enable all four character sets. The pool is 94 characters, so each character carries about 6.5 bits and the full password reaches roughly 131 bits of entropy — the meter shows Very strong and an offline crack-time of effectively forever. Now switch to Passphrase mode with 4 words, a hyphen separator and a trailing number: you might get harbor-glide-cedar-fawn-42, around 56 bits — still strong, and something you can actually remember. Pronounceable mode with the same length produces something like tibanoreku7 that you can read aloud without spelling out every character.

Every figure updates the instant you change a setting, and the optional session list lets you collect several candidates and export them as a plain-text file — all without a single network request.

Privacy

This tool is fully client-side. Passwords are generated locally with secure randomness, and the only data kept is your last-used settings and any saved session list, stored in this browser local storage and clearable on demand. No password, setting or export ever touches a server.