System administrators regularly need credentials that will never be used interactively — service account passwords, API keys, one-time credentials for lab environments, secrets for configuration files. For these cases, a dedicated generator is more appropriate than a password manager: you want a random value on demand, with control over length and character set, without storing it anywhere.
This tool generates passwords locally in your browser using window.crypto.getRandomValues() — the same cryptographically secure API used by security libraries. Nothing is transmitted or logged. Output is ready to copy immediately.
Used only when "Special characters" is enabled and Hexadecimal mode is disabled.
Letters and numbers were removed
How to use
- Set the password length. For most production use, 20–32 characters is a reasonable baseline.
- Select which character groups to include. If the target system has restrictions (no special characters, hex only), adjust accordingly.
- Use Advanced options to enforce minimum counts per character group — useful when a system requires at least one number or one symbol.
- Enable Exclude similar characters if the password will be typed manually rather than pasted.
- Click the copy button. The password is not saved anywhere — generate a new one if you navigate away.
When to use this tool
- Service account credentials — creating a password for a Windows service account, SQL login, or LDAP bind account that will be stored in a vault or config file, not memorized.
- Lab and staging environments — spinning up temporary infrastructure that needs unique credentials per instance without using your real secrets.
- Shared secrets in scripts — generating a random string to use as a shared secret between two systems (webhook token, HMAC key, session secret).
- Database and application passwords — creating a strong password for a new database user or application config where the value will be pasted directly.
- Hex-format values — generating hex-only strings for systems that expect hash-like identifiers (some APIs, encryption keys, UUID seeds).
- Bulk credential generation — creating unique passwords for multiple systems in sequence, generating and copying each without storing anything in the tool.
Is this tool safe?
- Runs entirely in your browser. No request is made to any server when you generate a password. You can verify this by opening DevTools → Network tab and watching for requests.
- Uses cryptographically secure randomness. The generator uses
window.crypto.getRandomValues(), which is provided by the browser’s cryptographic subsystem — notMath.random(). - No storage or logging. Generated passwords are not saved, cached, or sent anywhere. When you close or navigate away, they are gone.
- Open to inspection. The tool is part of a WordPress plugin with client-side JavaScript. You can verify the implementation in the page source.
Best practices
- Length matters more than complexity. A 20-character lowercase-only password has more entropy than a 10-character password with all character types. Prioritize length.
- Use at least 16 characters for service accounts. For credentials stored in vaults and never typed, there is no reason not to use 24–32 characters.
- Never reuse generated passwords. Each system, service, or account should have a unique credential. The generator makes this trivial.
- Store the result immediately. Copy the password directly into your vault, config file, or provisioning script. Do not leave it in a text editor or clipboard longer than necessary.
- For hex mode, increase length. A hex character set (16 characters) is smaller than alphanumeric + symbols. Use 32 hex characters instead of 20 mixed to maintain equivalent entropy.
- Match the character set to the target system. Some systems reject certain special characters. Adjust before generating to avoid having to regenerate.
This tool vs a password manager
A password manager generates, stores, fills, and syncs passwords. This tool only generates.
Use a password manager for personal accounts, browser logins, and anything you need to retrieve later. Use this tool when you need a random value right now that you will immediately paste into a vault, a config file, or a provisioning script — and you do not want it stored in a third-party service.
For sysadmin workflows, both have a place. This tool fills the gap when you are already inside a terminal session, a remote desktop, or a web-based admin panel and need a credential without opening an additional application.
Frequently asked questions
The two most important factors are length and unpredictability. A strong password is long enough that brute-force is computationally infeasible, and random enough that it cannot be guessed from dictionaries, keyboard patterns, or personal information. At 20+ characters using a mixed character set, a randomly generated password is effectively immune to offline brute-force attacks with current hardware.
The indicator is based on password length and character pool size, which together determine entropy — the number of possible combinations. Weak means short or limited character variety. Medium means acceptable for low-risk or temporary use. Strong means high entropy suitable for production credentials.
It uses window.crypto.getRandomValues() — the browser’s cryptographic random number generator. It builds a character pool based on your settings, applies minimum-count constraints if configured, then shuffles the result to avoid predictable positions. The entire process runs locally in your browser tab.
It removes characters that look alike: O and 0, l and 1, I and |. This is useful when a password will be typed manually or read aloud. For passwords that will only ever be copied and pasted, this option has no practical benefit.
Hexadecimal mode restricts the character set to 0–9 and A–F. This is appropriate when the target system expects a hex-format value — for example, some API tokens, encryption keys, or hash-like identifiers. Because the character pool is smaller (16 characters vs 72+ in mixed mode), use longer passwords in hex mode. A 32-character hex string is a reasonable baseline.
Yes, for use cases where you copy the result immediately into a vault or config file. The tool uses cryptographically secure randomness, runs entirely in your browser, and stores nothing. The main risk is operational: do not leave a generated password in your clipboard or an unsaved text file. Copy it directly to its destination.
Password security scales exponentially with length. Each additional character multiplies the number of possible combinations by the size of the character pool. At 16+ characters with a mixed set, the number of combinations exceeds what any current hardware can brute-force in a reasonable timeframe. This is why modern security guidance focuses on length first.