System administrators regularly need credentials that will never be used interactively — service account passwords, API keys, one-time credentials for lab environments, secrets for configuration files. For these cases, a dedicated generator is more appropriate than a password manager: you want a random value on demand, with control over length and character set, without storing it anywhere.
This tool generates passwords locally in your browser using window.crypto.getRandomValues() — the same cryptographically secure API used by security libraries. Nothing is transmitted or logged. Output is ready to copy immediately.
No saved passwords yet.
Used only when "Special characters" is enabled and Hexadecimal mode is disabled.
Letters and numbers were removed
How to use
Single password
- Set the password length using the stepper at the top. For most production use, 20–32 characters is a reasonable baseline.
- Check the strength indicator — it updates in real time based on length and character variety.
- Open Character settings to control which character groups to include. Use the minimum count steppers to enforce at least one character of a given type.
- Enable Exclude similar characters if the password will be typed manually rather than pasted.
- Click the copy button next to the output field. The field clears automatically after 30 seconds — disable Auto-clear if you need more time.
- To regenerate without changing settings, click the refresh icon.
Bulk generation
- Switch to the Bulk generation tab.
- Set the count (up to 50 passwords per batch).
- Click Generate. All passwords are created using the same settings configured in the Character settings section.
- Use Copy all to copy every password to the clipboard at once, one per line — ready to paste into a spreadsheet or script.
- Use the copy icon on any individual row to copy a single password.
- Click Export CSV to download the full batch as a file with options metadata.
Password history
- Enable Save generated passwords to history in the Single password tab.
- Every password generated after enabling this option is saved locally in your browser.
- Click History to open the panel — each entry shows the timestamp, generation options, and a copy button.
- Use Export CSV to download the full history, or Clear to remove all saved entries.
History is stored in your browser’s local storage. It is never sent anywhere and disappears if you clear browser data.
Saving settings
Enable Remember these settings at the bottom of the Character settings panel. Length, character groups, minimum counts, and other options are saved to local storage and restored on your next visit. Click Reset to defaults to return to the original configuration.
When to use this tool
- Service account credentials — creating a password for a Windows service account, SQL login, or LDAP bind account that will be stored in a vault or config file, not memorized.
- Lab and staging environments — spinning up temporary infrastructure that needs unique credentials per instance without using your real secrets.
- Shared secrets in scripts — generating a random string to use as a shared secret between two systems (webhook token, HMAC key, session secret).
- Database and application passwords — creating a strong password for a new database user or application config where the value will be pasted directly.
- Hex-format values — generating hex-only strings for systems that expect hash-like identifiers (some APIs, encryption keys, UUID seeds).
- Bulk credential generation — provisioning unique passwords for multiple systems at once, exporting the full batch to CSV for use in deployment scripts or documentation.
Is this tool safe?
- Runs entirely in your browser. No request is made to any server when you generate a password. You can verify this by opening DevTools → Network tab and watching for requests.
- Uses cryptographically secure randomness. The generator uses
window.crypto.getRandomValues(), which is provided by the browser’s cryptographic subsystem — notMath.random(). - No transmission or server-side logging. Generated passwords are never sent anywhere. History and settings are stored only in your browser’s local storage, under your control.
- Open to inspection. The tool is part of a WordPress plugin with client-side JavaScript. You can verify the implementation in the page source.
Best practices
- Length matters more than complexity. A 20-character lowercase-only password has more entropy than a 10-character password with all character types. Prioritize length.
- Use at least 16 characters for service accounts. For credentials stored in vaults and never typed, there is no reason not to use 24–32 characters.
- Never reuse generated passwords. Each system, service, or account should have a unique credential. The generator makes this trivial — especially with bulk generation.
- Store the result immediately. Copy the password directly into your vault, config file, or provisioning script. Do not leave it in a text editor or clipboard longer than necessary.
- For hex mode, increase length. A hex character set (16 characters) is smaller than alphanumeric + symbols. Use 32 hex characters instead of 20 mixed to maintain equivalent entropy.
- Match the character set to the target system. Some systems reject certain special characters. Adjust the custom special characters field before generating to avoid having to regenerate.
- Use minimum counts carefully. Setting a high minimum for a specific character type reduces effective randomness. A minimum of 1 per type is sufficient for compatibility — higher values are rarely justified.
This tool vs a password manager
A password manager generates, stores, fills, and syncs passwords. This tool only generates.
Use a password manager for personal accounts, browser logins, and anything you need to retrieve later. Use this tool when you need a random value right now that you will immediately paste into a vault, a config file, or a provisioning script — and you do not want it stored in a third-party service.
For sysadmin workflows, both have a place. This tool fills the gap when you are already inside a terminal session, a remote desktop, or a web-based admin panel and need a credential without opening an additional application.
Frequently asked questions
The two most important factors are length and unpredictability. A strong password is long enough that brute-force is computationally infeasible, and random enough that it cannot be guessed from dictionaries, keyboard patterns, or personal information. At 20+ characters using a mixed character set, a randomly generated password is effectively immune to offline brute-force attacks with current hardware.
The indicator is based on password length and character pool size, which together determine entropy — the number of possible combinations. Weak means short or limited character variety. Medium means acceptable for low-risk or temporary use. Strong means high entropy suitable for production credentials. The indicator updates immediately as you change length or character settings.
It uses window.crypto.getRandomValues() — the browser’s cryptographic random number generator. It builds a character pool based on your settings, places the required minimums per character group first, fills the remaining positions from the full pool, then shuffles the entire result to avoid predictable positions. The entire process runs locally in your browser tab.
It removes characters that look alike: O and 0, l and 1, I and |. This is useful when a password will be typed manually or read aloud. For passwords that will only ever be copied and pasted, this option has no practical benefit.
Hexadecimal mode restricts the character set to 0–9 and A–F. This is appropriate when the target system expects a hex-format value — for example, some API tokens, encryption keys, or hash-like identifiers. Because the character pool is smaller (16 characters vs 72+ in mixed mode), use longer passwords in hex mode. A 32-character hex string is a reasonable baseline.
Each character group (uppercase, lowercase, numbers, special) has a stepper that sets the guaranteed minimum for that type in every generated password. Setting uppercase to 2 means every password will contain at least 2 uppercase letters. Setting a group to 0 makes it optional — it may or may not appear depending on the random fill. This is useful when a target system requires at least one number or one special character.
Yes, for use cases where you copy the result immediately into a vault or config file. The tool uses cryptographically secure randomness, runs entirely in your browser, and stores nothing on any server. Password history, if enabled, is kept only in your browser’s local storage. The main risk is operational: do not leave a generated password in your clipboard or an unsaved text file. Copy it directly to its destination.
Password security scales exponentially with length. Each additional character multiplies the number of possible combinations by the size of the character pool. At 16+ characters with a mixed set, the number of combinations exceeds what any current hardware can brute-force in a reasonable timeframe. This is why modern security guidance focuses on length first.
Yes. Bulk generation uses the same character settings, length, and constraints as single password mode. Each password in the batch is generated independently using the same cryptographic process. The only difference is that up to 50 passwords are produced in a single operation, and the output can be copied all at once or exported to CSV.
Password history is stored in your browser’s local storage. Clearing browser data, site data, or local storage will remove it permanently. The history is never backed up or synced. If you need a permanent record, use the Export CSV option before clearing browser data.