ops@toolbox:~$ passwordgenerator --run

Password Generator

Cryptographically secure passwords and passphrases, generated locally in your browser.

Why generate passwords in the browser?

Every password on this page is produced by crypto.getRandomValues(), the browser's cryptographically secure random number generator. Nothing you generate is transmitted, logged, or stored; you can verify that by opening your network tab, or by loading the page and pulling your network cable before clicking Generate.

The generator also uses rejection sampling to avoid modulo bias, a subtle flaw in many homemade generators where random % poolSize makes some characters slightly more likely than others. Small bias, but there is no reason to accept any.

Passwords vs. passphrases

For anything a human has to type (a LUKS prompt, an iDRAC console, a BIOS password) a five-word passphrase like falcon-quartz-ember-ridge-42 is usually the better choice. At roughly 70 bits of entropy it is stronger than an 8-character symbol jumble, and you can actually type it correctly on a laggy IPMI console at 3 a.m.

For anything a machine stores: API keys, service account credentials, database passwords in a secrets manager, use the maximum length the system accepts. There is no typing cost, so there is no reason to stay short.

Practical entropy targets

As a rule of thumb: 60–70 bits is fine for throwaway or rate-limited logins, 80–100 bits for standard user accounts, and 128 bits for anything that protects other secrets (password manager master passwords, disk encryption, root credentials). A 24-character password from the full 90-character pool here lands around 155 bits, comfortably beyond brute force for the foreseeable future.

The "exclude ambiguous" option

Enabling it removes 0 O 1 l I from the pool. Use it for credentials that will ever be read aloud, printed on a handover sheet, or typed from a phone screen into a rescue console. The entropy loss is negligible; the support tickets it prevents are not.

Related tools

Hash Generator
MD5, SHA-1, SHA-256, SHA-384 and SHA-512 checksums of any text, computed locally.
JWT Decoder
Decode JSON Web Tokens locally: header, payload, expiry check and human-readable claims.
htpasswd Generator
Generate bcrypt htpasswd entries for Apache and nginx basic auth, locally.
TOTP Code Generator
Generate 2FA codes from a Base32 secret, with live countdown, fully client-side.