PRPickrack

Password Generator

Generate cryptographically-strong random passwords. Length, character set, similar-character exclusion — all configurable.

0 bits entropy
816 (rec)3264

Generated locally using crypto.getRandomValues. Never sent to a server. Clipboard auto-clears 30 seconds after copy.

Generate strong, random, cryptographically-secure passwords. Length and character set fully configurable.

Password Generator creates strong random passwords for new accounts, password rotations, or replacing weak ones identified by your password manager. The crypto-strength matters: weak generators (using Math.random or PHP rand()) are crackable in seconds.

Pick Rack's Password Generator uses crypto.getRandomValues() — the browser's cryptographically-secure random API, the same primitive that powers HTTPS handshakes. Each character is independently random, drawn from your selected character pool. No network call, no logging — passwords are generated locally and never leave your tab.

Free, no signup, no daily limit. Use it as a one-shot tool or generate dozens for testing. Pair with a password manager (1Password, Bitwarden, KeePass) — never reuse passwords across accounts.

Key features

  • Cryptographically secure (crypto.getRandomValues)Uses browser native CSPRNG — same entropy source as TLS keys. Each character independently random.
  • Adjustable length 8-128 charactersDefault 16 (current NIST recommendation for human-typed). 32+ for system-only use. Some sites cap at 32 — generate to match.
  • Character set togglesLowercase, uppercase, numbers, symbols — toggle each. Some legacy sites reject symbols; uncheck and regenerate.
  • Exclude similar-looking charactersToggle to remove 0/O, 1/l/I — useful for passwords you'll have to type or read out loud.
  • Copy to clipboard with auto-clearClick Copy → password copies. Clipboard auto-clears after 30 seconds (configurable) to limit exposure.

How to use

  1. Step 1: Set length16 for typical human use, 24-32 for high security, 12 if a site has a low cap.
  2. Step 2: Toggle character setsDefault: all four (a-z, A-Z, 0-9, symbols). Uncheck symbols if a site rejects them.
  3. Step 3: Generate and copyClick Generate. Click the copy icon. Paste into the password field. Always also save to your password manager.

When to use

  • Replace a weak password flagged by your password manager (1Password, Bitwarden) as 'compromised' or 'weak'
  • Generate a master password for a new vault — combine 4-5 random words instead for better recall
  • Rotate passwords after a service breach (Have I Been Pwned alert)
  • Create test credentials for staging environments — generate 100 in a row
  • Set strong WiFi passwords when configuring a new router (24+ chars, no symbols if router doesn't support)
  • Protect a PDF before emailing — pair with Pickrack's Protect PDF tool

Frequently asked questions

Is my generated password sent to your server?

No. Password is generated using crypto.getRandomValues() entirely in your browser. Verify in DevTools → Network — zero requests when you click Generate. The password exists only in your browser memory until you copy or refresh.

Why use crypto.getRandomValues instead of Math.random?

Math.random is not cryptographically secure — it's seeded predictably and can be reverse-engineered, especially in older browsers. crypto.getRandomValues uses OS-level entropy (hardware noise, kernel entropy pool) — the same source TLS, SSH, and disk encryption use. Always use it for passwords, tokens, salts.

How long should my password be?

16 characters with mixed case + numbers + symbols is the current NIST/OWASP minimum for human-typed passwords. 24-32 for high-security or system-only use. 12 only when forced by site limits — at 12, choose strict mixed-set to maintain entropy.

Should I include symbols?

Yes when allowed — adds significant entropy. Some legacy systems (banking, hospital) reject symbols. If so, increase length to 20+ to compensate.

What's a passphrase, and is it stronger?

A passphrase like 'correct-horse-battery-staple' uses real words. 4-5 random words from a 7,776-word list is ~50 bits of entropy — comparable to an 8-char random password. For master passwords (which you'll type frequently), passphrases are easier to remember; for system-only credentials, prefer the random password generator.

Can I generate the same password twice?

Cryptographic random — collision probability is astronomical (~2⁻⁶⁴ for 16-char alphanumeric). Each click produces an independent random password.

Does this work offline?

Yes once the page loads. The generator is pure JavaScript using crypto.getRandomValues which is built into every modern browser.

Should I store the password in my browser's autofill?

Browser autofill (Chrome, Safari built-in) is OK for low-risk accounts. For email, banking, work logins, use a dedicated password manager (1Password, Bitwarden, Proton Pass) — they have better encryption, sync, and breach alerts.