Security

120 random passwords for servers, master keys, admin accounts

120 random passwords generated with the Unbiased Random Selection method (OS CSPRNG with rejection sampling). Lengths from 32 down to 10 characters. Click any password to copy it to clipboard.

ASCII format passwords

The most secure: 85-character printable charset, ~6.4 bit/char entropy. A 30-character ASCII password requires roughly 41 trillion years to brute-force on offline GPU rigs. Use these for critical services: server access, master keys, admin accounts.

Charset: !"#$%&'()*+,-./23456789:;<=>?@ABCDEFGHJKMNPQRSTUVWXYZ[\]^_`abcdefghjkmnpqrstuvwxyz{|}~

32 characters

\n}Pz|9"|WKMk-p4uH,%Rz@*vS(y-jXK

8!S,*}Z&aCV~}-{p:#MdeG]&YR'7>GE%

.[K\SKbrPVsG<swUEaV"&YE"Hdnrj9z<

sUgG?3FR$K;n@N4HVvr]fvRUADFZwgaY

CB.;#<Kr\)xHX;'4|h8}v8SnGm{|)>q-

24 characters

[#)C*'-2tZKj){~Z*%E.S@r6

(~~j9[W!%dZFX-2[m._?~k5G

UZX]?j"R+re2?$?^G{+!Rt<H

#^SqywFp"5B42Ubd&Uf_dytp

._N!?7`KF%5;UtK/2%Q?ZN*u

20 characters

NRZ\9q(e\&7j<^a#2W.j

:"td7}SFEJ*MdP7!(WUc

@MPb&>^8tHm^/'$?S~\(

N3gms<mBTp"U`}*KZzx5

cZ`_m32`\nf(S@7**|Gz

16 characters

A`#7F^a.|_>#u+4z

(H'u@.}8]\M?^(ya

Yhz5$R^-zrJU:3=G

u,rFc59V<e=eRm`%

XdDRtRkuf"8y|"V,

12 characters

{V9w`p{jQnX6

E_&|hnu,(T.6

YHhp$vhP|aQB

]6XG_j+k<rHe

"*qBQACQ_DZ{

10 characters

7wk8Kyr!Yd

3[t4BQuGz(

v5(;.HAF<V

tFVQ3H@6CD

xF|rdrzvjW

Alphanumeric format passwords

Reduced charset (54 characters): more readable and typable, lower entropy per symbol. OK for services that forbid special characters. For everything else, prefer ASCII above.

Charset: ABCDEFGHJKMNPQRSTUVWXYZabcdefghjkmnpqrstuvwxyz23456789

32 characters

3gWJ4ZgvfqkBpm75qVexXb9PfHQvk3pn

ZkBaPCEJUBjFZAgNYaQbfHcNWVRtMW6s

b8d44dcnebmqBjgfaw4DsPvpRAMVMSuY

dVDUyunQJebNwp6XXeeSUDQGGJv8sVbM

eHVxyBfUvFzJP8hBJ5CrW59crKsNEmN5

24 characters

SstHa2RBdVmnN549xmkMpJmW

ANgzGtPSUtEwwB4zC9p8eqCs

bzR4rV2hbKeHZbGXXuJ5K3ku

hK4UjnDZ4xEVtmMkG4ugqDAk

zdaxr94mEeuUTBppxhkYhuBr

20 characters

jvQWvhXCQ5ZK4T37cWsZ

cGBJxCWEmTmEfrxT4ujB

XzbWrShB5axnJrn9jbPs

zbasEU3rmKMkxKH43DbQ

CyUcN4bxSY2uc5fAUVey

16 characters

ZsCa5mJ3GFJGmNFS

2jnZc8dKzCUjzF7c

9Pe7MngVjGNaghjy

vQr99tQfzr4ERjPA

4RvKAzRaZg4rj95n

12 characters

7SNgAcVJh3Gy

zF747gRxdx5k

VdqsbkZReErX

YZVhfUABaK9c

3EHUHrGmHayx

10 characters

a25RJFsg5M

WHWMcRC54K

UvJTZF9Jz7

f6J4aJMzuH

nnc5eYewhh

Why these passwords are genuinely secure

Generation uses unbiased random sampling via PHP's random_int(), which calls into the OS CSPRNG (/dev/urandom on Linux, equivalents on other OSes), with rejection sampling that avoids the modulo bias many artisan generators get wrong: every character has probability exactly 1/|charset|. On 20 ASCII characters the real entropy is 128 bits. For comparison, a "strong" password picked by a human typically has 30-50 bits of entropy and is brute-forceable in hours on modern GPUs. The passwords served on the page exist only in the HTML sent to your browser: they are not logged, not persisted anywhere, and do not survive page reload.

Frequently asked questions

How long is a truly secure password in 2026?

Personal accounts: at least 16 ASCII characters (roughly 100 bits of entropy). SSH servers, API keys, admin accounts: 24-32 characters. The real security factor is total entropy, not character class: a 30-char ASCII password is more secure than a 12-char password with 'mandatory symbols'.

Why don't the passwords contain '0', '1', 'l', 'I', 'O'?

Visual ambiguity. If you have to read or type the password by hand (on mobile, on a serial console, on a remote terminal), lookalike characters cause errors. Excluding 5 chars out of 94 only changes per-char entropy by ~0.08 bits, negligible compared to total length.

Are generated passwords logged or sent anywhere?

No. The PHP that generates passwords runs server-side in an isolated process, doesn't log output, doesn't store anywhere. Every page reload produces 120 fresh passwords that only exist in the HTML served to you. HTTPS always.

Is random_int() really secure?

Yes. In PHP 8.x, random_int() internally uses the OS CSPRNG (/dev/urandom on Linux, equivalents on other OSes): the same entropy source that backs standard cryptographic tooling. The implementation applies rejection sampling to avoid modulo bias, a critical detail many artisan generators get wrong and which leads to non-uniform character distributions across the charset.

Can I use these passwords for encryption or API keys?

For account and service passwords they are fit for purpose. For cryptographic keys (AES, RSA, ECDSA) no: keys must be generated directly with the crypto library that will use them, in the format and length specific to the algorithm. Using an ASCII password as a crypto key introduces an unnecessary KDF derivation, typically done wrong.

What if I work at a company where passwords are shared in an Excel file?

Very common, very risky, very fixable. Migrating to an enterprise password manager (self-hosted Bitwarden, 1Password Business, Vaultwarden) takes 2-3 days of setup + training. If you want a structured path for your SMB, get in touch: this is one of the areas I work on regularly.

Password hygiene at your company is a mess?

If your SMB still uses shared passwords in Excel, reused credentials across services, or lacks a centralized password manager, the compromise risk is high and measurable. I offer targeted consulting on enterprise password policy, migration to self-hosted password managers (Vaultwarden/Bitwarden), and audit of service credentials in use. 20+ years backend + applied cybersecurity.

Talk to me about password security