Kalcify
Dev Tools

Password Generator

Generate strong, random passwords using cryptographically secure randomness. Customize length, character types, and generate multiple passwords at once.

Powered by Web Crypto API - all generation happens in your browser

Generate Password

16
8128

Character Types

1

Password Strength

Very Strong

~103 bits of entropy

How to Use This Password Generator

1

Set Your Preferences

Choose your desired password length (8-128 characters) and select which character types to include: uppercase, lowercase, numbers, and symbols.

2

Generate Passwords

Click the Generate button to create one or more secure passwords. Each password is generated using cryptographically secure randomness.

3

Copy and Use

Click the copy button next to any password to copy it to your clipboard. Store it in a password manager for safekeeping.

How Password Entropy Works

Entropy = Length x log2(CharsetSize)

Password strength is measured in bits of entropy. Higher entropy means more possible combinations and a harder-to-crack password.

Lowercase only (26 chars): 16 chars = 75 bitsLower + Upper (52 chars): 16 chars = 91 bits+ Numbers (62 chars): 16 chars = 95 bits+ Symbols (88 chars): 16 chars = 103 bits

Recommended entropy levels:

  1. 36+ bits - Minimum acceptable (short, simple passwords)
  2. 60+ bits - Fair protection for most online accounts
  3. 80+ bits - Strong protection, suitable for sensitive accounts
  4. 100+ bits - Very strong, recommended for encryption keys and critical systems

This generator uses crypto.getRandomValues() from the Web Crypto API, which provides cryptographically secure pseudo-random numbers. Unlike Math.random(), these values are suitable for security applications and cannot be predicted.

Frequently Asked Questions

How does this password generator create secure passwords?

This generator uses the Web Crypto API (crypto.getRandomValues()) which provides cryptographically secure pseudo-random numbers. Unlike Math.random(), this API is suitable for security-sensitive applications and produces unpredictable output that cannot be reverse-engineered.

How long should my password be?

Security experts recommend a minimum of 12 characters, but 16 or more characters provide significantly better protection. Each additional character exponentially increases the number of possible combinations, making brute-force attacks impractical. For high-security accounts, use 20+ characters.

Should I include all character types in my password?

Yes, using a mix of uppercase letters, lowercase letters, numbers, and symbols maximizes the character set size and therefore the entropy (randomness) of your password. A 16-character password using all four character types has approximately 105 bits of entropy, compared to only 75 bits with lowercase letters alone.

What are ambiguous characters and why exclude them?

Ambiguous characters are those that look similar in many fonts, such as O (letter) and 0 (zero), I (uppercase i) and l (lowercase L) and 1 (one), or | (pipe). Excluding them is useful when you need to read or type a password manually, such as entering a Wi-Fi password. For passwords stored in a password manager, you can safely include them.

How often should I change my passwords?

Current NIST guidelines (SP 800-63B) recommend against mandatory periodic password changes. Instead, change passwords only when there is evidence of compromise. The most important factors are using a unique, strong password for each account and enabling two-factor authentication (2FA) wherever possible.

Security Notice

Passwords are generated entirely in your browser using the Web Crypto API and are never transmitted or stored on any server. For maximum security, use a unique password for every account and store them in a reputable password manager. Enable two-factor authentication (2FA) wherever possible for an additional layer of protection.