What is the Have I Been Pwned check?

The breach check uses the k-anonymity model from the HaveIBeenPwned API. Your password is hashed with SHA-1 and only the first 5 characters of the hash are sent to the API. The API returns all matching hashes — your client checks whether your full hash appears. Your actual password is never transmitted.

All tools

🔐

Password Generator

Cryptographically secure passwords, passphrases and API keys. Nothing ever leaves your browser.

100% in-browserNo signupFree foreverCrypto-secure RNG

Mode

Length

864

Characters

Presets

Policy

No repeating characters

Min numbers:

Min symbols:

Bulk count:/ 20

Generated password

Press Generate

Strength:Very Weak

0 bits entropy

Crack time at 1B/s: instant

Breach check

Check against Have I Been Pwned using k-anonymity — your password is never transmitted.

Hash viewer

View SHA-256 and SHA-512 hashes of the generated password.

Secret key generator

JWT signing secrets, API keys, OAuth secrets, and AES-256 encryption keys.

JWT · API Key · OAuth · AES-256 · HMAC-SHA256 · Base64url

What Is a Password Generator?

A password generator creates random, high-entropy strings or word sequences that are hard for attackers to guess or brute-force. Unlike a password you invent yourself, a generated password has no predictable patterns — no birthdays, no keyboard walks, no dictionary words — which means it resists every common attack method from dictionary attacks to credential stuffing.

This generator uses the Web Crypto API's getRandomValues() — the same cryptographically secure source used by browsers for TLS — so every character is drawn from a true random pool, not a weak pseudo-random function.

How it works

Generate a Secure Password in Seconds

Choose mode

Pick Random (character-based), Passphrase (word-based), or Pattern for custom formats.

Configure options

Set length, character sets, word count, separators, or define your own pattern.

Generate & check strength

See entropy in bits and an estimated crack time at 1B guesses/second instantly.

Copy or export

Copy to clipboard (auto-clears in 30s) or export a bulk list as JSON, CSV, or TXT.

Use cases

When Developers Use a Password Generator

🔐

Account Passwords

Generate strong unique passwords for every service — store them in your password manager.

🔑

API Keys & Tokens

Create cryptographically random API keys and bearer tokens for your applications.

🌱

Seed Phrases & Secrets

Generate passphrase-style seed values for internal tooling or mnemonic backups.

🗄️

Database Passwords

Set high-entropy passwords for Postgres, MySQL, and Redis instances in production.

📶

Wi-Fi & Router Passwords

Replace default router credentials with strong random passwords.

🧪

Test Data

Bulk-generate realistic password fixtures for load testing or security audits.

FAQ

Frequently Asked Questions

1How long should a password be?

At minimum 12 characters for general accounts; 16+ for sensitive accounts like email, banking, and admin panels. Each extra character exponentially increases brute-force difficulty. The entropy meter shows exact crack-time estimates at 1 billion guesses per second.

2What makes a password strong?

High entropy: long length, a large character set (uppercase, lowercase, numbers, symbols), and no predictable patterns. Avoid dictionary words, names, dates, and keyboard walks. Aim for 80+ bits of entropy for sensitive accounts.

3Passphrase vs password — which is better?

Both can be equally strong. A 4-word passphrase has ~44 bits per word from a large wordlist, making it very strong and far easier to remember than a random 16-character string. Use passphrases for master passwords you must memorise; use random passwords for everything stored in a password manager.

4Is it safe to use an online password generator?

Yes, when it runs entirely in your browser. This tool uses window.crypto.getRandomValues() — the cryptographically secure RNG built into every modern browser. No password is sent to any server.

5Can I generate API keys or JWT secrets here?

Yes. The secret key generator section produces hex, base64url, and other encodings suitable for JWT signing, API keys, OAuth secrets, and AES keys. All keys are generated client-side.

6What is the Have I Been Pwned breach check?

It uses the k-anonymity model from the HaveIBeenPwned API. Only the first 5 characters of your password's SHA-1 hash are sent to the API. Your actual password is never transmitted.

7What makes a password strong?

High entropy: long length, using uppercase, lowercase, numbers, and symbols, with no predictable patterns or dictionary words. Aim for at least 16 characters for sensitive accounts.

8What is password entropy?

Password entropy measures unpredictability in bits. A 16-character password using 95 printable ASCII characters has about 105 bits of entropy — extremely resistant to brute force.

9How do I generate a cryptographically secure password?

This tool uses window.crypto.getRandomValues(), the Web Crypto API built into every modern browser. All passwords are cryptographically secure by default — the same source as TLS key generation.

10What is a passphrase?

A passphrase uses multiple random words instead of random characters — like "correct-horse-battery-staple". Passphrases are high entropy and memorable. A 4-word Diceware passphrase has about 51 bits of entropy.

11What is the NIST password guideline?

NIST SP 800-63B recommends long passwords (at least 8 characters), checking against breached password lists, allowing all printable characters, and not requiring periodic rotation unless breach is suspected.

12How many characters should a password be?

Minimum 12 characters for general accounts; 16+ for sensitive accounts. For master passwords, use a 6+ word passphrase. Each additional character exponentially increases brute-force difficulty.

13How do I generate passwords in bulk?

Use the Bulk Generate option to create up to 20 passwords at once. Export as JSON, CSV, or TXT for import into password managers, test fixtures, or provisioning scripts.

14Is my generated password stored?

No. Generated passwords exist only in your browser memory and are never stored, logged, or sent anywhere. The clipboard is auto-cleared after 30 seconds when you copy a password.

Feedback for password_generator

Tell us what's working, what's broken, or what you wish we built next — it directly shapes our roadmap.

You make the difference

Good feedback is gold — a rough edge you hit today could be smoother for everyone tomorrow.

Feature ideas often jump the queue when lots of you ask.
Bug reports with steps get fixed faster — paste URLs or examples if you can.
Name and email are optional; we won't use them for anything except replying if needed.

Stay Updated

Get the latest tool updates, new features, and developer tips delivered to your inbox.

What you'll get

Product updates & new tools
JSON, API & developer tips
Unsubscribe anytime — no hassle

Get in touch

Feature ideas, bugs, or a quick thanks — we read every message.

support@unblockdevs.com