PwdFortress

Password Generator

Generated in your browser via crypto.getRandomValues. Never sent to a server.

100% client-side · crypto.getRandomValues
20
864

How this tool works

01

crypto.getRandomValues

Each character is drawn using the browser's native cryptographic API (CSPRNG), compliant with NIST SP 800-90A. No external libraries are loaded.

02

Entropy calculation

Entropy is calculated as L × log₂(N) where L is password length and N the character pool size. Above 70 bits, modern brute-force attacks take centuries even with specialised hardware.

03

Strength indicator

Thresholds (weak < 30 bits, fair < 50 bits, strong < 70 bits, very strong < 90 bits, excellent ≥ 90 bits) follow OWASP password strength recommendations.

Why 100% client-side?

Your password never leaves your device. Unlike server-based generators that send the request (and sometimes the result) over a network, this tool makes zero network calls related to generation. Check your browser's Network tab to verify.

How to use a strong password

Generating a strong password is the first step. The next step is storing it securely — don't write it in a text file or a Google Doc.

A password manager encrypts your vault locally before syncing. Neither the provider nor a potential attacker can read your passwords without your master password.

Read our guide: how to create a strong password →

Store your generated passwords

A strong password stored insecurely is pointless. Bitwarden and Proton Pass are open-source, auditable, and free.

Try Bitwarden (free)Try Proton Pass (free)

Frequently asked questions

Does this generator store my passwords?

No. No generated password is saved, transmitted, or analyzed. Everything stays in your tab's memory and disappears when you close the page.

What length do you recommend?

16 characters minimum for regular accounts, 20+ for critical accounts (email, banking, password manager). Beyond 20 characters with uppercase + digits + symbols, entropy exceeds 100 bits.

Why exclude ambiguous characters?

Characters I, l, 1, O, and 0 look similar depending on the font. If you need to type a password manually, excluding them prevents typos.

Is crypto.getRandomValues truly secure?

Yes. It's the standard cryptographic API in modern browsers, fed by the OS CSPRNG (Windows CryptGenRandom, Linux /dev/urandom, macOS SecRandomCopyBytes). It's the same source used by password manager browser extensions.

What's the difference between a password and a passphrase?

A passphrase is a series of random words (e.g. 'correct-horse-battery-staple'). It's longer, easier to remember, and can reach high entropy. A random password achieves the same entropy in fewer characters but is harder to memorize.