Alertoscan

Password Generator

Generate cryptographically secure passwords, passphrases and PINs, entirely in your browser.

Password Generator

The Password Generator produces three kinds of secrets, each tuned for a different use case.

Three modes

ModeBest forTypical strength
PasswordAny login, password manager entry80+ bits with 16 chars + all classes
PassphraseMaster password you must memorise~44 bits per 4 words, easier to type
PINNumeric codes (banking, alarm, SIM)13 bits per 4 digits, short by design

Pick Password unless you have a specific reason to use something else.

What the strength meter shows

Two numbers matter:

  • Entropy bits: how unpredictable the secret is, given its character set and length. More bits = harder to guess.
  • Crack time: a conservative estimate of how long offline brute-force would take against a modern GPU rig.

Anything under 60 bits is weak against a determined attacker. 80+ bits is the working floor for accounts you actually care about.

Settings

For passwords:

  • Length: the single biggest lever. A 20-character password is exponentially stronger than a 10-character one with the same character classes.
  • Character classes: uppercase, lowercase, numbers, symbols. Each class enabled roughly doubles the search space.
  • Exclude similar characters: strip 0, O, 1, l, I. Useful for passwords you need to read aloud or type by hand.

For passphrases:

  • Word count: 4 words is the conventional floor; 5 is comfortable.
  • Separator: dashes, dots, spaces, or none.
  • Capitalisation / numbers: add a small entropy bump without hurting memorability.

Where the randomness comes from

The tool uses crypto.getRandomValues(), the browser's cryptographically secure random number generator backed by the operating system entropy pool. The same primitive is used by HTTPS, by end-to-end encrypted messengers, and by every reputable password manager.

Math.random() is not used anywhere in the generator.

Where the secrets go

Everything runs client-side. No password leaves your browser. There is no server endpoint that receives generated secrets, and there is no analytics event tied to the generated value.

The History list keeps the last five generated items in localStorage for convenience. That storage is:

  • Per-browser, per-device, never synced
  • Auto-purged when you close the tab
  • Manually clearable from the History panel

If you generate a password in a shared browser, clear the history before walking away.

Related

  • Check whether your current password has appeared in a breach via BreachRadar
  • A strong password matters most when you also use unique passwords per site. See the BreachRadar doc for the broader hygiene playbook

TechStack Checker

Community Reports