Super Simple Digital ToolsFree online tools & calculators

Password Generator

Generate strong, random passwords in your browser — with live strength and entropy. Nothing is ever sent to a server.

Your password
Very weak0 bits of entropy

Passwords are generated entirely in your browser with crypto.getRandomValues and are never sent anywhere.

How to use the Password Generator

  1. Set the length. Drag the slider to choose how many characters your password should have — longer is stronger.
  2. Pick character types. Turn lower-case, upper-case, numbers and symbols on or off, and optionally exclude ambiguous characters.
  3. Copy it. Hit Copy to send the generated password to your clipboard, or Regenerate for a new one.

Why use our Password Generator

Cryptographically secure. Passwords use the browser's crypto.getRandomValues — true CSPRNG randomness, not Math.random().
Fully private. Everything happens on this page. Your password is never transmitted, logged or stored on a server.
Tune every detail. Set the length and toggle lower-case, upper-case, numbers, symbols and ambiguous characters.
See the strength. A live strength rating and entropy estimate (in bits) update with every change.

Free to use — premium coming soon

FREE
  • Unlimited passwords
  • Custom length & character sets
  • Live strength & entropy
  • One-click copy
PREMIUM
  • Remove ads
  • Bulk password generation
  • Passphrase mode

About the Password Generator

This password generator builds strong, random passwords directly in your browser using the Web Crypto API's crypto.getRandomValues, the same operating-system randomness source used for security-sensitive work. You choose the length and which character sets to include (lowercase, uppercase, digits, symbols), and the tool assembles a password by drawing each character from the pool without bias. As you adjust the controls, a live readout shows the password's entropy in bits and a plain-language strength label, so you can see exactly how a longer length or an extra character set changes the math rather than guessing.

Reach for this tool whenever an account, database, Wi-Fi network, or encryption key deserves a unique secret you will never reuse. Random passwords are valuable precisely because they have no pattern: there is no birthday, pet name, or keyboard walk for an attacker to guess, so the only route in is brute force across the full key space. It pairs well with a password manager, which removes the need to memorize the result. The optional 'exclude ambiguous characters' switch drops look-alikes such as l, 1, I, O, and 0, which is handy when a password may be read aloud, typed on a phone, or transcribed from a screen.

Strength is measured with entropy, calculated as length multiplied by the base-2 logarithm of the character-pool size. A 12-character password drawn from the full 94-character printable-ASCII set carries roughly 78 bits of entropy, while 16 characters from the same pool exceeds 100 bits and is far beyond practical brute-force reach. Including more character types enlarges the pool, but adding length usually buys more strength per keystroke, which is why modern guidance favors longer passwords over short, complex ones. The bit count shown updates instantly as you change settings, giving you a concrete target instead of a vague 'weak/strong' guess.

Privacy is built into how this tool works: every password is generated locally in your browser and is never sent to our servers, logged, or stored. The output exists only in your tab's memory and on your clipboard until you clear it, so closing the page disposes of it. This matters because a generated secret should never travel over a network where it could be intercepted or retained. Note that crypto.getRandomValues produces cryptographically secure randomness, unlike Math.random, which is predictable and unsafe for passwords; using the secure source is what makes the entropy figures shown here meaningful rather than cosmetic.

Frequently asked questions

How long should my password be?

For important accounts, aim for at least 16 characters; current NIST guidance recommends a minimum of 8 and suggests 15 or more, allowing passphrases up to 64 characters. Longer is reliably stronger, so when a site permits it, increase the length before worrying about adding more symbol types.

Are the passwords this tool generates truly random?

Yes. They are produced with the browser's crypto.getRandomValues, which draws from your operating system's cryptographically secure random number generator. That is far safer than Math.random, whose output can be predicted and should never be used for passwords.

What does the entropy figure in bits actually mean?

Entropy estimates how many guesses an attacker would need on average to find your password, calculated as length times log2 of the character-pool size. Roughly, 60-80 bits is strong and 80+ bits is very strong; each extra bit doubles the guessing effort required.

Why would I exclude ambiguous characters?

Look-alikes such as the lowercase l, uppercase I, digit 1, uppercase O, and digit 0 are easy to confuse when a password is read aloud, typed on a phone, or copied from a screen. Excluding them slightly shrinks the character pool but prevents transcription errors.

Is it safe to generate a password on a website?

With this tool, yes, because generation happens entirely in your browser and the password is never transmitted or stored on our servers. The result stays in your tab and clipboard, so it is wise to save it in a password manager and then clear your clipboard afterward.

From our blog

Converting YAML to JSON Without Corrupting Your Data

By the Super Simple Digital Tools Team · Updated June 2026

YAML and JSON describe the same shapes of data, nested objects and ordered lists, but they make opposite trade-offs. YAML optimizes for humans: indentation instead of braces, optional quotes, comments, and reusable anchors. JSON optimizes for machines: explicit delimiters, no ambiguity, and a parser built into virtually every language. Converting from one to the other is rarely about preference. It is about meeting a tool where it lives. Your CI pipeline reads YAML, but the API you call wants JSON, so a translation step sits between them.

Mechanically, a converter parses your YAML into a tree of three things: mappings (key-value pairs), sequences (lists), and scalars (single values). Indentation defines the nesting, a dash defines a list item, and a colon separates a key from its value. Once that tree exists in memory, emitting JSON is straightforward: wrap mappings in braces, wrap sequences in brackets, quote every key, and choose a JSON type for each scalar. The interesting and occasionally dangerous part is that last step, because YAML decides scalar types for you when you do not quote them.

This is where conversions go wrong. Write port: 8080 and you get a number, which is usually what you want. Write version: 1.10 expecting a string and many parsers hand you the float 1.1, dropping the trailing zero. Write country: NO and a YAML 1.1 parser gives you the boolean false. Write zip: 08080 and some parsers treat the leading zero as octal. None of these raise an error. The YAML is valid, the JSON is valid, and the value is simply wrong. Converting to JSON is actually a useful way to catch these, because JSON shows the resolved type plainly.

Indentation is the other classic failure. The YAML spec only allows spaces for indentation, never tabs, and roughly the majority of YAML syntax errors trace back to indentation problems. A single tab character, or two keys at the same logical level that are indented by different amounts, will stop the parse. Configure your editor to show whitespace and to insert spaces when you press Tab. Pick two spaces per level and keep every key in a block aligned. Consistent, space-only indentation prevents most of the errors you will ever hit.

A clean workflow looks like this: quote any value that should stay a string, especially codes, versions, and anything with leading zeros; remove or accept the loss of comments since JSON cannot keep them; expect anchors to be expanded into full copies; and review the JSON output to confirm numbers, booleans, and nulls landed where you intended. Because this tool runs the whole conversion in your browser, you can paste sensitive config without it leaving your machine, then copy the JSON straight into your request body or config loader.

  • Never indent YAML with tabs. Set your editor to insert two spaces per level and to render whitespace so stray tabs are visible.
  • Quote any value that must stay a string: country codes like NO, versions like 1.10, and ZIP or ID numbers with leading zeros such as 08080.
  • Remember comments and anchors will not survive. Comments are dropped and anchors are expanded into full duplicated values in the JSON.
  • Use the JSON output as a type check: if a field shows up as a number, boolean, or null when you wanted a string, fix the quoting in your YAML and convert again.

Read the full guide →

Tool by the Super Simple Digital Tools Team. Reviewed by our editorial team. Free to use, no signup required.

Related tools

Password Strength TesterWord CounterQR Code GeneratorCase ConverterJSON FormatterBase64 Encoder / Decoder