Do you see or store the passwords I generate?

No. We have no way to see them. The generation happens entirely on your device using the Web Crypto API. Your password never leaves your browser, so there is nothing for us to see, log, or store.

Why should I trust a random website with my passwords?

You shouldn't — and you don't have to. Because everything runs in your browser, you can disconnect from the internet after the page loads and keep generating passwords offline. You can also view the page's source code to see exactly what it does. We never ask for your email, an account, or any existing password.

How long should my password be?

At least 16 characters for important accounts. Length matters more than complexity — a long password made of lowercase letters is harder to crack than a short password full of symbols. For high-value accounts like email or banking, 20 or more characters is ideal.

What are pronounceable passwords and why would I use them?

Pronounceable passwords are built from made-up syllables like bov-kel-zim-tof-na. They are much easier to read, type, and remember than random character strings, but still extremely hard for a computer to guess. Perfect for passwords you need to type often or read to someone over the phone.

Is it really safe to use my browser to generate passwords?

Yes. Modern browsers include a cryptographically secure random number generator specifically designed for this. It's the same technology used by banking websites and password managers. The randomness is just as strong as a dedicated tool.

Password FAQ — Your Questions Answered

Yes. Every password is generated directly in your web browser using your device's built-in cryptographic tools. Nothing is sent to our servers, nothing is logged, and nothing is stored.

You can verify this yourself: load the page, turn off your internet connection, and the generator will keep working perfectly. That's because all the work happens on your device, not ours.

No. We have no way to see them. The generation happens entirely on your device using the Web Crypto API, which is built into every modern browser. Your password never leaves your browser, so there is nothing for us to see, log, or store.

We also don't ask for your email, an account, or any personal information. There's nothing to link a password to you, even if we wanted to.

You shouldn't — and the good news is you don't have to.

Because everything runs in your browser, you can disconnect from the internet after the page loads and keep using the generator offline. You can also open your browser's developer tools and view the page's source code to see exactly what it does. And we never ask for any existing password, account, or personal detail.

If anything feels off, closing the tab ends the session completely. There's nothing left behind.

At least 16 characters for most accounts, and 20 or more for high-value accounts like email, banking, and password managers.

Length matters more than complexity. A long password made of only lowercase letters is harder to crack than a short password packed with symbols. Every extra character multiplies the number of combinations an attacker has to try.

Random — maximum strength, classic jumbled characters. Best when you'll copy and paste into a password manager.

Pronounceable — made-up syllables like bov-kel-zim. Still very strong, but easy to read, type, and say out loud.

Passphrase — a string of real words like coral-orbit-river-map. Very memorable and strong when long enough.

PIN — numbers only. Useful for phone locks, safes, or anywhere only digits are allowed.

Yes, as long as you use enough syllables. Each syllable is randomly chosen from a large pool of possibilities, so a 5 or 6 syllable pronounceable password is extremely hard to guess — billions upon billions of combinations.

The trick is that they look readable to a human but are effectively random to a computer. Adding capitalization, a number, or a symbol makes them even stronger.

Please don't. It's the single most common way people get hacked.

When a company gets breached and your password leaks, attackers immediately try that same email-and-password combination on every major service — banks, email, social media. If you've reused it, they're in instantly.

Use a unique password for every account. A password manager makes this practical — you only need to remember one strong master password.

A password manager is better, but writing them down is much better than reusing passwords or using weak ones.

If you do write them down, keep the list somewhere safe — not stuck to your monitor, and not in a note on your phone. A physical notebook kept at home is fine for most people. The risk of someone breaking into your house to steal a notebook is much lower than the risk of your password being leaked in an online breach.

Yes. Modern browsers include a cryptographically secure random number generator (crypto.getRandomValues) specifically designed for this. It's the same technology banking websites and password managers use under the hood.

The randomness is just as strong as any dedicated app. The difference is you don't have to install anything or trust an extra piece of software.

Entropy is a measure of how unpredictable your password is. It's measured in bits, and roughly speaking, each bit doubles the number of guesses an attacker would need.

A password with 40 bits of entropy can be cracked in hours. 60 bits takes weeks or months. 80 bits takes centuries. 100+ bits is effectively uncrackable with current technology. For a deeper dive, see our entropy explainer.

Change it immediately on the affected account — and on any other account where you reused it.

You can check whether your email address has appeared in known breaches at haveibeenpwned.com, a free and well-respected service. If you find matches, change those passwords and enable two-factor authentication wherever possible.

They help, but they're not as important as length. A long password without symbols is stronger than a short password with them.

Some websites require symbols, in which case go ahead and include them. Some older systems have strange restrictions on which symbols are allowed — if yours does, try the "Exclude Ambiguous" toggle on the generator, which also avoids symbols that tend to cause trouble.

No catch. The site is free to use, we don't sell your data (we have no data to sell), and we don't require an account.

In the future we may show a small, unobtrusive ad on the page to help cover hosting costs — but the tool itself will always be free.

Absolutely. In fact, those are the accounts that benefit most from a strong, unique password. The generator uses the same class of cryptography that banks and serious security tools rely on.

Just make sure you save the password somewhere reliable — a password manager is ideal — before you close the tab, since we never store anything on our side.

Frequently Asked Questions