The Toolbox
Back to Blog
Security Guides5 min readFebruary 6, 2026The Toolbox Team

How to Generate a Strong Password

Learn how to generate a strong password in your browser with a free password generator: length, character sets, passphrases, and entropy explained.

Generate a strong password in your browser

A strong password is long, random, and unique to one account. The problem is that humans are bad at "random" — we reuse favorites, swap an "a" for "@", and lean on names and dates that attackers test first. The fix is to let a tool do the randomness for you, then store the result in a password manager instead of your memory.

This guide walks through making a genuinely strong password (or a whole batch of them) with the free Password Generator. It runs entirely in your browser using crypto.getRandomValues(), the same cryptographically secure source browsers use for real key material. Nothing is uploaded, there's no sign-up, and the passwords never leave your device. Use it when you're creating a new account, rotating a leaked password, setting a Wi-Fi key, or generating an API token.

How to generate a strong password

  1. Open the Password Generator. You'll land on the Generator tab with a configuration panel on the left and the output on the right.

  2. Pick a Generation Mode. Random gives the highest entropy and is the right default for most accounts. Passphrase strings together several words (like silver-canyon-ember-42) when you need something you can actually type or read aloud. Pronounceable builds syllables for a middle ground, and PIN produces numeric codes for devices that only accept digits.

  3. Set the Password Length. Drag the slider or type a number (4 to 128). For a typical account, 16 is a solid floor; for high-value logins like email or banking, push to 20 or more. Length matters more than any single trick — every extra character multiplies the number of guesses an attacker needs.

  4. Choose your Character Sets. Enable Lowercase, Uppercase, Numbers, and Symbols. More character types means a larger pool and higher entropy. If a site rejects symbols, turn them off rather than fighting its rules — just add a few characters of length to compensate.

  5. (Optional) Open Exclusion Filters. Tick "Exclude ambiguous chars" if you'll be typing the password by hand and want to avoid mix-ups like l vs 1 or O vs 0. Skip this for passwords you'll only ever paste — every excluded character slightly shrinks the pool.

  6. Watch the Charset size and entropy readout below the options. The bits-of-entropy figure is the honest measure of strength. Aim for 80 bits or more on anything important. The live number updates as you change length and character sets, so you can dial in exactly what you want before generating.

  7. (Optional) For multiple passwords at once, set Bulk Generation to the number you need (up to 50) — handy when you're setting up several accounts or seeding test data.

  8. Click Generate Password. Your result appears on the right with a Strength bar (Weak / Fair / Good / Strong) and the entropy in bits. Click again to roll a new one until you're happy.

  9. Copy it with the copy icon next to the password (or Copy All for a batch), then paste it straight into the new-account form and into your password manager. For a batch you want to keep, use Export to download a TXT or CSV file.

That's it — a random, high-entropy password that no one, including you, needs to memorize.

Tips

  • Don't reuse. A strong password protects one account. If you recycle it, a single breach exposes everything. Generate a fresh one per site.
  • Let the manager remember it. The whole point of random characters is that you don't type them from memory. Save it in a password manager and you only memorize one master password.
  • Try the Memorable preset. On the Presets tab, "Memorable" loads a word-based passphrase — strong and easier to retype on a TV remote or game console keyboard where pasting is painful. Other presets cover Wi-Fi, banking, and API keys.
  • Mind the no-repeat limit. "No repeating characters" caps the length at your charset size, so a short pool plus a long length will quietly truncate. Leave it off unless a specific policy demands it.
  • Tokens and keys. For machine-readable secrets you don't need to type, a long random string is fine. The Random String Generator and UUID Generator are purpose-built for IDs and tokens.

FAQ

Are the generated passwords actually random and safe? Yes. Generation uses your browser's crypto.getRandomValues(), a cryptographically secure random number generator — not the predictable Math.random(). Everything happens locally in the page, so the passwords are never sent anywhere or stored on a server.

How long should my password be? Longer is stronger. Treat 16 characters as a minimum for normal accounts and 20 or more for email, banking, and anything tied to your identity. Instead of guessing, watch the entropy readout and aim for 80+ bits. A long passphrase of four or five random words can clear that bar while staying typeable.

Is a passphrase as strong as a random string? It can be, if it has enough words. The generator pulls words at random from a large pool, so a four-word passphrase reaches into the comfortable range and a five- or six-word one is very strong. The trade-off is length: passphrases are longer character-for-character but far easier to type. For pasted secrets, random mode is more compact.

How do I know if a password I already use is weak? Paste it into the Password Strength checker to see its estimated entropy and crack time. If you're hashing passwords for an app you're building, the Bcrypt Generator creates salted hashes to store instead of plaintext.

Want the bigger picture on staying safe? Read the password security guide, then pair the generator with the Password Strength checker to verify your results.

passwordssecurityprivacygeneratorhow-to

Related Tools

password generatorpassword strengthrandom string generatorbcrypt generator