Skip to content

Password Generator

4 modes, live entropy + crack-time, bulk + CSV, HIBP breach check.

Share
crypto.getRandomValues() · cryptographic-grade randomness · 100% browser-side
Strengthempty
0 bits

Random password options

Crack time by attack speed

Online, throttled 100/hrinstant
Online, unthrottled 10/secinstant
Offline, slow hash 10K/sec PBKDF2instant
Offline, fast hash 10B/sec GPUinstant
Offline, ASIC theoretical 1T/secinstant

0.0 bits of entropy from a pool of 0 possibilities. NIST recommends 80+ bits for accounts you care about; 128+ for the paranoid.

Have I Been Pwned checkk-anonymity, never sends password

We SHA-1 the password locally, send only the first 5 hex chars to api.pwnedpasswords.com, and check the response locally. The password and full hash never leave your browser.

crypto.getRandomValues + 4 modes + HIBP breach check

The password generator that doesn't push you into a paid manager

Random, Diceware, pronounceable, or pattern-based. Live entropy + crack-time meter. Bulk generate up to 100 with CSV export. Optional Have I Been Pwned check via k-anonymity (your password never leaves the browser). 100% client-side cryptographic randomness.

How it works

Step 1

Pick a mode

Random characters, Diceware passphrase, pronounceable, or pattern-based template. Each suits a different use case.

Step 2

Adjust the strength

Length, character classes, exclude similar / ambiguous chars, ensure-one-of-each. Live entropy meter shows the bits you're building.

Step 3

Copy or bulk download

One click to copy. Or set bulk to 100 and download a CSV. Cryptographic-grade randomness, never Math.random.

Every feature, free

4 generation modes

Random char-class for site logins, Diceware passphrase for memorability, pronounceable for verbal handoff, pattern-based for sites with strict format rules. Most generators offer only random.

Live entropy + crack-time

Bits of entropy displayed as you type. Crack time shown at 4 attack tiers: online throttled, online unthrottled, offline slow hash (PBKDF2), offline fast hash (10B/sec GPU). zxcvbn-compatible scoring.

Bulk generation up to 100

Generate 100 unique passwords at once. Copy individually or download as CSV. Useful for seeding test accounts, recovery codes, or batch-creating new logins.

Have I Been Pwned check

Optional k-anonymity check: we SHA-1 your password locally, send only the first 5 hex chars to HIBP, check the response locally. The password and full hash NEVER leave your browser.

Cryptographic randomness

Uses crypto.getRandomValues() with rejection sampling to avoid modulo bias. Math.random() is not cryptographically secure; many free generators get this wrong. Ours produces output that's safe for security tokens.

Smart character class enforcement

Many sites require 'at least one upper, lower, digit, symbol'. Our 'ensure each class' option guarantees the output passes those checks without sacrificing randomness.

Exclude similar / ambiguous

Drop Il10O for handwritten or read-aloud passwords. Drop {}[]() for systems that mangle them. Toggle independently.

100% browser-side

Generation, entropy analysis, crack-time computation, and the bulk export all run locally. The HIBP check is the only network request and uses k-anonymity. Open the network tab to verify.

Why we built this

No password manager required

LastPass, 1Password, Norton, Bitwarden , most free generators are loss-leaders for paid managers. We don't sell anything. The tool stands alone, free, with all features included.

Cryptographically secure by default

Many free generators use Math.random(), which is not secure. Skilled attackers can recover the seed and predict future outputs. We use crypto.getRandomValues() exclusively, the same primitive Web Crypto and TLS use.

Multiple modes for different threat models

Random for password manager storage. Diceware for what you'll type. Pronounceable for what you'll say over the phone. Pattern for sites with format quirks. Pick the right tool for the job.

Bulk + breach check together

No competitor offers bulk generation AND breach checking AND multi-mode AND offline-capable in one tool. We do, free.

Molixa vs LastPass, Bitwarden generators

FeatureMolixa Password GeneratorLastPassBitwarden
Free, no signupYesYesYes
4 generation modesRandom, Diceware, Pronounceable, PatternRandom + simple passphraseRandom + Diceware
Bulk generateUp to 100 with CSV exportOne at a timeOne at a time
Live entropy meterBits + 4 attack tiersBasic strength barBasic strength bar
HIBP breach checkYes, k-anonymityIn paid appIn paid app
Pattern-based templatesYesNoNo
Cryptographic randomcrypto.getRandomValues + reject samplingYesYes
Standalone (no manager)YesPushes manager signupPushes manager signup

What people use it for

Generate a strong password for a new account

Pick Random, length 16, all 4 classes on, copy. Paste into the signup form. Save in your password manager. Done in 5 seconds.

Make a memorable master password

Pick Diceware, 6 words, capitalize on, separator '-'. Result: 'Battery-Horse-Staple-Apple-River-Sunset'. ~70 bits, easy to type, no manager could ever lose it for you.

Verbal password to dictate to a coworker

Pick Pronounceable. Length 14. Result: 'pulokirakapule'. Easier to read aloud than 'X#k$2vQ!9j@n'.

Match a site with weird format rules

Site says 'exactly 12 chars, 2 digits, 1 symbol, no ambiguous'? Pick Pattern, template 'aaaaaaaa-99?'. Result fits the format on the first try.

Bulk-create accounts for testing

Set bulk to 50, hit generate, download CSV. Each row is a fresh, unique, strong password. No more 'Password1', 'Password2' for QA accounts.

Verify your password hasn't been leaked

Type or paste a password (or copy a generated one), click 'Check this password'. The k-anonymity protocol checks Have I Been Pwned without sending your password anywhere.

Walkthroughs

Generate a strong password in 3 seconds

  1. 1Default mode is Random, length 16, all character classes on. That's already a 96-bit-entropy password.
  2. 2Click Copy. The password is in your clipboard.
  3. 3Paste into the signup form. Save in your password manager.
  4. 4If the site rejects a symbol, switch to Pattern mode and customize.

Build a Diceware master passphrase

  1. 1Click the Passphrase tab.
  2. 2Set Words to 6, capitalize on, separator '-'. Get something like 'Battery-Horse-Staple-Apple-River-Sunset'.
  3. 3Optionally toggle 'Append digits' and 'Append symbol' for sites that require them.
  4. 4Memorize it. Use as your password manager master password. Never type it into anything else.

Check if your existing password has leaked

  1. 1Generate any password (we need something in the input field).
  2. 2Manually edit the displayed password by clicking Show then editing , or paste your existing password into a text field.
  3. 3Click 'Check this password' under Have I Been Pwned.
  4. 4Result tells you whether the password appears in any known breach. If yes, change it everywhere.

Bulk-export 50 passwords for QA

  1. 1Set Bulk generate to 50.
  2. 2The list of 50 unique strong passwords appears below the primary result.
  3. 3Click 'Download CSV' to save them all with index and length columns.
  4. 4Each password is independently random. The CSV is yours; we never see it.

Privacy + security

Passwords never leave your browser

Generation happens locally using crypto.getRandomValues, the cryptographically secure PRNG built into every modern browser. Entropy analysis happens locally. Crack-time computation happens locally. Bulk export downloads from your tab to your disk without going through any server.

The optional Have I Been Pwned breach check uses k-anonymity. We SHA-1 your password in the browser, send only the first 5 hex characters of the resulting 40-character hash to api.pwnedpasswords.com, and check locally whether your specific 35-character suffix is in their response. The remote service never sees the password, never sees the full hash, and could not reconstruct either from the prefix it receives. This protocol is well-documented and audited; Troy Hunt (HIBP's author) has written extensively about the privacy guarantee.

Who it's built for

Security-conscious users

Cryptographic randomness, k-anonymity breach check, no upsell. Generate, save in your manager, move on.

Developers + sysadmins

Bulk generate API tokens, recovery codes, test passwords. Pattern mode for systems with strict format rules. CSV export for piping into your provisioning scripts.

International users

No paid tier, no geographic gating, no signup required. Works the same in every country. Output is plain text , copy and use anywhere.

QA + ops teams

Bulk export 100 passwords to seed test accounts. CSV format drops into spreadsheets and provisioning scripts. Every password is independently random.

Questions people ask

Is the password generator free?
Yes. Unlimited generation, no signup, no daily cap. The tool runs entirely in your browser, so we have no per-user cost. LastPass and 1Password gate their generators behind paid manager subscriptions; Norton's lives behind a paywall. Ours is genuinely free, with no tiered features.
How is randomness sourced?
We call window.crypto.getRandomValues(), the cryptographically secure PRNG built into every modern browser. Math.random() is NOT cryptographically secure and should never be used for password generation; many free generators get this wrong. We also use rejection sampling to avoid modulo bias when picking from arbitrary-size character pools, so each character is genuinely uniformly distributed.
Do passwords get sent anywhere?
No. Generation happens entirely in your browser. Passwords stay in your tab's memory until you close it or refresh. The only network request the page makes is the initial HTML / JS / CSS load. The optional Have I Been Pwned breach check uses k-anonymity: we SHA-1 the password locally, send only the first 5 hex characters of the hash to api.pwnedpasswords.com, and check the response locally. The password and full hash never leave your browser.
What's the difference between Random, Passphrase, Pronounceable, and Pattern?
Random builds passwords from character classes (uppercase, lowercase, numbers, symbols) , best for site logins where you'll save them in a manager. Passphrase (Diceware) joins words with separators, like correct-horse-battery-staple , easier to type and memorize but needs more total characters for the same entropy. Pronounceable alternates consonants and vowels for memorability , handy for verbal handoff. Pattern follows your template , useful for sites with strict format rules like 'must have exactly 2 digits and 1 symbol'.
How long should my password be?
For random char-class passwords with all four classes (upper + lower + numbers + symbols), 16 characters gives roughly 96 bits of entropy , comfortable for accounts you care about. NIST recommends 80+ bits as the minimum for sensitive accounts. For Diceware, 5-6 words gives 60-70 bits and is much easier to type. Add a digit and a symbol on the end (or use the toggle) and you're at 80+ bits. The crack-time table on the page tells you exactly what your current setting buys you.
What does 'crack time' actually mean?
It's the average time an attacker needs to guess your password by trying every possibility, given a particular attack speed. We show four tiers: online throttled (the website locks the account after 100 wrong guesses per hour), online unthrottled (10 guesses/sec), offline slow hash (10K/sec, typical PBKDF2 hash like 1Password uses), and offline fast hash (10B/sec, GPU on a fast hash like MD5). The fastest realistic threat for a leaked database is the 10B/sec tier , that's the one the strength score uses.
What's bulk generation good for?
Setting up many accounts at once. Generate 50 strong passwords, download as CSV, paste each into the right form. We also use bulk for things like seeding test users, generating one-time recovery codes, or creating many API tokens. Each password is independently random, not a derivation of the others.
Why does the strength meter sometimes show different scores for the same length?
Length matters less than character pool size. A 12-char password using all 4 classes (upper+lower+digit+symbol = 94 chars in pool) has more entropy than a 16-char password using only lowercase (26 chars in pool). The strength meter uses Shannon entropy: pool_size to the power of length. Diceware works the same way but with a much larger 'pool' (the wordlist) per position.
Is Have I Been Pwned safe to use?
Yes if you trust the k-anonymity protocol, which is well-documented and widely audited. The k-anonymity range API works like this: we SHA-1 the password, take the first 5 hex characters of the 40-character hash, send only those 5 chars to HIBP. They return all 35-character hash suffixes that share that 5-char prefix (typically 500-1000 results). We check locally whether our 35-char suffix is in the list. The remote service never sees your password, never sees your full hash, and can't reverse-engineer either from the prefix. Troy Hunt (HIBP's author) has written extensively about the privacy guarantee.
Should I use a password manager?
Yes. Generate the password here, save it in 1Password, Bitwarden, KeePass, Apple Passwords, or your browser's built-in manager. Memorizing dozens of unique strong passwords is impossible; the human brain is the worst password manager. The combination of 'unique strong password per site, generated by a tool, stored in a manager, retrieved with one master password' is the modern best practice.

Try it now

Cryptographic random, 4 modes, bulk export, breach check

Free. No signup. No upsell into a paid password manager. Just the strongest passwords you can paste in.

Start generating
Built and reviewed bySaqib Zahoor, WeboTech Studio
Last updated:

The Password Generator page is built, reviewed, and maintained by the Molixa team. We use the tool we ship and update the docs when the behavior changes.