Password generator
Strong passwords drawn from the platform CSPRNG, generated locally. Nothing is transmitted, logged, or stored.
What makes a password strong?
Entropy — the number of equally-likely possibilities. A longer password drawn from a larger character set has more entropy and is exponentially harder to brute-force. This tool shows an entropy estimate so you can compare choices.
Tips
- Use a unique password per site — a password manager makes this painless.
- Prefer length over complexity rules; 16+ characters beats short-but-symbol-heavy.
- Never reuse a password across accounts.
- For machine secrets, generate 32+ character tokens instead of human passwords.
Generate secrets via API
Building signup flows, rotating API keys, or seeding service accounts? Generate secure tokens server-side with the Oxide Hash & Encryption Toolkit /v1/token endpoint, then store only a bcrypt/Argon2 hash with /v1/hash.
curl -X POST https://hash-toolkit1.p.rapidapi.com/v1/token \
-H "Content-Type: application/json" \
-H "X-RapidAPI-Key: YOUR_KEY" \
-H "X-RapidAPI-Host: hash-toolkit1.p.rapidapi.com" \
-d '{"type":"hex","length":32}' FAQ
Are these passwords safe to use?
Yes. Each character is drawn from the browser's cryptographically-secure random generator (window.crypto.getRandomValues), not Math.random. The password is generated locally and never transmitted or stored anywhere.
Is the generated password sent to a server?
No. Generation happens entirely in your browser. Nothing is uploaded, logged, or saved. Close the tab and it is gone.
How long should my password be?
For human-memorable accounts, 16+ characters with mixed character sets is a strong baseline. For machine secrets (API keys, service accounts), use 32+ characters or a generated token. Length matters more than complexity rules.
What makes a password strong?
Entropy — the number of equally-likely possibilities. A longer password drawn from a larger character set has more entropy and is exponentially harder to brute-force. This tool shows an entropy estimate so you can compare choices.
Can I generate secrets from an API?
Yes. The Oxide Hash & Encryption Toolkit /v1/token endpoint returns cryptographically-secure tokens (hex, base64, UUID) at the edge — ideal for generating API keys and service-account secrets in your backend.