Why generate passwords in the browser?
Every password on this page is produced by crypto.getRandomValues(), the browser's cryptographically secure random number generator. Nothing you generate is transmitted, logged, or stored; you can verify that by opening your network tab, or by loading the page and pulling your network cable before clicking Generate.
The generator also uses rejection sampling to avoid modulo bias, a subtle flaw in many homemade generators where random % poolSize makes some characters slightly more likely than others. Small bias, but there is no reason to accept any.
Passwords vs. passphrases
For anything a human has to type (a LUKS prompt, an iDRAC console, a BIOS password) a five-word passphrase like falcon-quartz-ember-ridge-42 is usually the better choice. At roughly 70 bits of entropy it is stronger than an 8-character symbol jumble, and you can actually type it correctly on a laggy IPMI console at 3 a.m.
For anything a machine stores: API keys, service account credentials, database passwords in a secrets manager, use the maximum length the system accepts. There is no typing cost, so there is no reason to stay short.
Practical entropy targets
As a rule of thumb: 60–70 bits is fine for throwaway or rate-limited logins, 80–100 bits for standard user accounts, and 128 bits for anything that protects other secrets (password manager master passwords, disk encryption, root credentials). A 24-character password from the full 90-character pool here lands around 155 bits, comfortably beyond brute force for the foreseeable future.
The "exclude ambiguous" option
Enabling it removes 0 O 1 l I from the pool. Use it for credentials that will ever be read aloud, printed on a handover sheet, or typed from a phone screen into a rescue console. The entropy loss is negligible; the support tickets it prevents are not.