Workplace password generator

Pick a policy preset or tune the controls. Every password is generated locally with cryptographically secure randomness and scored by entropy — no sign-up, nothing transmitted.

Generating…

Strength: — 0 bits of entropy

Length

Lowercase (a–z) Uppercase (A–Z) Numbers (0–9) Symbols (!@#$%^&*-_=+?) Exclude look-alikes (I l 1 O 0) Require one of each selected type

Need several at once?

Create five passwords with the current settings — copy them individually or all together.

Runs entirely in your browser — nothing is transmitted or stored.

How strength is measured

We estimate strength using entropy — the number of bits an attacker would need to guess. For a randomly generated password it is:

entropy (bits) = length × log₂(pool size)

The pool size is the total number of distinct characters available from the classes you enabled (minus look-alikes if excluded). More length and a larger pool both raise entropy. We then label the result:

Weak — under 40 bits
Fair — 40 to 59 bits
Strong — 60 to 79 bits
Very strong — 80 bits or more

Strength is always shown as a word and a colour (plus a bar and the exact bit count), never colour alone, so it stays readable for everyone.

Policy guidance

Per NIST SP 800-63B, favour length over forced complexity. A 16-character random password or a long passphrase beats a short one padded with mandatory symbols and reset every 30 days.

Good practice: length matters more than forced complexity; store credentials in a password manager; never reuse a password across systems; layer on SSO and 2FA wherever possible.

How randomness works here

Passwords are built with crypto.getRandomValues() and rejection sampling to remove modulo bias — never Math.random(). If you deselect every character type, the generator shows a clear message instead of producing anything insecure.