Secure Password Generator
Usage Guide
Password Generator creates strong, cryptographically random passwords directly in your browser using the Web Crypto API — the same standard that powers modern encryption libraries. Unlike server-based password generators where the server knows every password it creates, this tool generates passwords exclusively on your device and transmits nothing. Every generated password is unpredictable: it uses window.crypto.getRandomValues, which draws from the operating system's entropy pool (e.g. hardware random number generators on modern CPUs) rather than a pseudorandom seed. You can customise every aspect of the generated password: length (8–128 characters), inclusion of uppercase letters, lowercase letters, digits, and symbols. You can also define a custom symbol set if your target service has specific special character requirements. The tool generates a new password on every keystroke of the slider or toggle, so you can browse many options before settling on one. A visual strength indicator scores each password on entropy bits, giving you a concrete measure of how resistant it is to brute-force attack. For maximum security, the tool also supports one-click re-generation and bulk generation of multiple passwords at once — useful when creating credentials for a fleet of test accounts or configuration files.
- Set the password length — Drag the length slider or type a number between 8 and 128 to set how many characters the password should contain. Security experts recommend at least 16 characters for account passwords and 32+ for API keys.
- Select character types — Toggle each character group on or off: uppercase letters (A–Z), lowercase letters (a–z), digits (0–9), and symbols (!@#$%^&* etc.). At least two groups must be selected. The entropy score updates instantly as you change the selection.
- Customise the symbol set (optional) — If your target system allows only specific special characters, type them into the "Custom symbols" field. The generator will use only those symbols instead of the default set.
- Read the generated password — A new strong password appears automatically whenever you change any setting. The entropy indicator shows bits of entropy — 60+ bits is considered strong; 80+ is very strong; 128+ is practically unbreakable.
- Regenerate if needed — Click the refresh / regenerate button to produce a new password with the same settings. All passwords are equally strong — regenerate as many times as you like to find one that feels memorable.
- Copy to clipboard — Click "Copy" to copy the password to your clipboard. Paste it directly into your password manager or the registration form. The copy action is confirmed by a brief "Copied!" label.
Frequently Asked Questions
How secure is the generated password?
Passwords are generated using window.crypto.getRandomValues(), the browser's cryptographically secure pseudo-random number generator (CSPRNG). This is the same API used by security-critical applications and produces true random output that cannot be predicted, unlike Math.random().
Are generated passwords sent to any server?
No. Password generation runs entirely in your browser. The generated password is never transmitted anywhere — it exists only in your browser's memory until you copy it.
What does "Exclude Ambiguous Characters" mean?
Ambiguous characters are visually similar pairs that are easy to confuse: 0 and O (zero and capital letter O), 1 and l and I (one, lowercase L, and capital i), and 8 and B. Enabling this option removes them from the character pool, making passwords easier to read and type manually.
How is password strength calculated?
Strength is estimated based on the character pool size (determined by which character types are enabled) multiplied by the password length — producing the total entropy in bits. Weak: < 40 bits, Fair: 40–59 bits, Strong: 60–79 bits, Very Strong: ≥ 80 bits.
Can I use this password generator offline?
2Kit is a Progressive Web App (PWA). After your first visit it is cached and works fully offline — including the password generator.
Technical Implementation
All processing runs entirely in your browser — no data is ever sent to any server. This tool works fully offline as a Progressive Web App (PWA): after the first visit, all pages and assets are cached by a Service Worker and remain available without an internet connection. Your input data never leaves your device, making it safe for sensitive content including API keys, passwords, private configuration, and confidential documents.