← All tools
Free tool · runs in your browser

Password generator

Strong passwords drawn from the platform CSPRNG, generated locally. Nothing is transmitted, logged, or stored.

What makes a password strong?

Entropy — the number of equally-likely possibilities. A longer password drawn from a larger character set has more entropy and is exponentially harder to brute-force. This tool shows an entropy estimate so you can compare choices.

Tips

  • Use a unique password per site — a password manager makes this painless.
  • Prefer length over complexity rules; 16+ characters beats short-but-symbol-heavy.
  • Never reuse a password across accounts.
  • For machine secrets, generate 32+ character tokens instead of human passwords.

Generate secrets via API

Building signup flows, rotating API keys, or seeding service accounts? Generate secure tokens server-side with the Oxide Hash & Encryption Toolkit /v1/token endpoint, then store only a bcrypt/Argon2 hash with /v1/hash.

curl -X POST https://hash-toolkit1.p.rapidapi.com/v1/token \
  -H "Content-Type: application/json" \
  -H "X-RapidAPI-Key: YOUR_KEY" \
  -H "X-RapidAPI-Host: hash-toolkit1.p.rapidapi.com" \
  -d '{"type":"hex","length":32}'

FAQ

Are these passwords safe to use?

Yes. Each character is drawn from the browser's cryptographically-secure random generator (window.crypto.getRandomValues), not Math.random. The password is generated locally and never transmitted or stored anywhere.

Is the generated password sent to a server?

No. Generation happens entirely in your browser. Nothing is uploaded, logged, or saved. Close the tab and it is gone.

How long should my password be?

For human-memorable accounts, 16+ characters with mixed character sets is a strong baseline. For machine secrets (API keys, service accounts), use 32+ characters or a generated token. Length matters more than complexity rules.

What makes a password strong?

Entropy — the number of equally-likely possibilities. A longer password drawn from a larger character set has more entropy and is exponentially harder to brute-force. This tool shows an entropy estimate so you can compare choices.

Can I generate secrets from an API?

Yes. The Oxide Hash & Encryption Toolkit /v1/token endpoint returns cryptographically-secure tokens (hex, base64, UUID) at the edge — ideal for generating API keys and service-account secrets in your backend.