Security

120 random passwords for servers, master keys, admin accounts

120 random passwords generated with the Unbiased Random Selection method (OS CSPRNG with rejection sampling). Lengths from 32 down to 10 characters. Click any password to copy it to clipboard.

ASCII format passwords

The most secure: 85-character printable charset, ~6.4 bit/char entropy. A 30-character ASCII password requires roughly 41 trillion years to brute-force on offline GPU rigs. Use these for critical services: server access, master keys, admin accounts.

Charset: !"#$%&'()*+,-./23456789:;<=>?@ABCDEFGHJKMNPQRSTUVWXYZ[\]^_`abcdefghjkmnpqrstuvwxyz{|}~

32 characters

DyPc=t^S~<8dz:>B9kpkz;Q~(Jdw@pd~

bP=d(:S#PU\bED+sJDKjNM(\>P/G/#;,

E|Hz/y"B,$r7Jfwc2e|]2GHve*d,&;z<

Q_!6]]eQKWGB8T#(:.Am:c;h#$[u=mn<

/57\/A.AsR+h8_n2_$ws}$~4/MTSf}><

24 characters

9JFC'\!BY`%"?<d-^QNyE(/]

F)-nc\|S\*Y`=CsYz2p+2hmN

)&YB<}%Nb<f|=QKQp(,N7;+/

cX}3.'g@y3Ww;z~Z5x{A)HB[

88qw%]x+Ma7e>-g+UP,C52]b

20 characters

VQ95wee%Zr?`#2t<N6.,

r^pJn28f>/d4$rDms=-2

,ZsM?2_+P3'$K*S2:f:<

3Ae3=!,%*(.6^3.A?<J7

p>WB<y*h3,pdgz@b%f}X

16 characters

^XbD'SV|yPGNZn|p

7s;a9rk&JH)fh{*5

:\gG[WN.({W}(m2X

!2n>XmHS(*.6M_Vm

%jkM"!E\'<V>^r99

12 characters

qu=sA~`RAQr9

T?)B9P28eKe\

*g^aQ<EPdA%e

D%H%#R8NHtga

?vJ=b3Bt%t5E

10 characters

P!*m[sUCrc

2#;!9|*gY:

X8t5r;/eJe

+|h6$x\F%k

gUy.4`s+~>

Alphanumeric format passwords

Reduced charset (54 characters): more readable and typable, lower entropy per symbol. OK for services that forbid special characters. For everything else, prefer ASCII above.

Charset: ABCDEFGHJKMNPQRSTUVWXYZabcdefghjkmnpqrstuvwxyz23456789

32 characters

3WHTzQHFUPNcYQpyqC9h9YZmyDEXQbbk

wcy7jdAcgAuCGUyacRggCDnvzn2m8rVd

eAxGZE6jREUUy6gahcZp2Fq2drbdDSsf

RcCxv6NszCYBQy4fBjdnHvm3x6nWUqRn

8kPAW7r97Ad84cNKzVs4xVQTAFdXtqmV

24 characters

X9XusguEE6n2aYnmpHGS2gFc

7cBw2eVBxVr4UNCwzHr78Hh7

Fqv84VmKtVNHS4FwrPvafqcr

X7gF8t88sXVKFeB8b3yRBFMQ

9BJFGNSVKzgDTHZHgJwRkgjV

20 characters

5x8UVwpSTtmqaFBRHQhN

EHGg4b9R28VbjhsZPRQA

JjAFqjhxevxyX8WzvYS2

ZEEfXy6ugNPNzbZNVN6H

abs8hX4fPUPFugtPmGpn

16 characters

ZTrcPVfNTuHwDbQb

F6uvmMXXtXQmNRAn

tgRmAn99U4Kc2PEN

UNWY2r2KFjSqMpnh

sJkDXWgVhrHsRJZR

12 characters

TSnyNKesUdET

DuxQ8hYERtYt

DgezUHRR7VG7

Vkq4ePPCYaDX

aFGhCqujsJJN

10 characters

2JsAnbSdDs

DypwURhqDC

VYNcT9n3bB

FwhXtPndhJ

CKaZtKuHbH

Why these passwords are genuinely secure

Generation uses unbiased random sampling via PHP's random_int(), which calls into the OS CSPRNG (/dev/urandom on Linux, equivalents on other OSes), with rejection sampling that avoids the modulo bias many artisan generators get wrong: every character has probability exactly 1/|charset|. On 20 ASCII characters the real entropy is 128 bits. For comparison, a "strong" password picked by a human typically has 30-50 bits of entropy and is brute-forceable in hours on modern GPUs. The passwords served on the page exist only in the HTML sent to your browser: they are not logged, not persisted anywhere, and do not survive page reload.

Frequently asked questions

How long is a truly secure password in 2026?

Personal accounts: at least 16 ASCII characters (roughly 100 bits of entropy). SSH servers, API keys, admin accounts: 24-32 characters. The real security factor is total entropy, not character class: a 30-char ASCII password is more secure than a 12-char password with 'mandatory symbols'.

Why don't the passwords contain '0', '1', 'l', 'I', 'O'?

Visual ambiguity. If you have to read or type the password by hand (on mobile, on a serial console, on a remote terminal), lookalike characters cause errors. Excluding 5 chars out of 94 only changes per-char entropy by ~0.08 bits, negligible compared to total length.

Are generated passwords logged or sent anywhere?

No. The PHP that generates passwords runs server-side in an isolated process, doesn't log output, doesn't store anywhere. Every page reload produces 120 fresh passwords that only exist in the HTML served to you. HTTPS always.

Is random_int() really secure?

Yes. In PHP 8.x, random_int() internally uses the OS CSPRNG (/dev/urandom on Linux, equivalents on other OSes): the same entropy source that backs standard cryptographic tooling. The implementation applies rejection sampling to avoid modulo bias, a critical detail many artisan generators get wrong and which leads to non-uniform character distributions across the charset.

Can I use these passwords for encryption or API keys?

For account and service passwords they are fit for purpose. For cryptographic keys (AES, RSA, ECDSA) no: keys must be generated directly with the crypto library that will use them, in the format and length specific to the algorithm. Using an ASCII password as a crypto key introduces an unnecessary KDF derivation, typically done wrong.

What if I work at a company where passwords are shared in an Excel file?

Very common, very risky, very fixable. Migrating to an enterprise password manager (self-hosted Bitwarden, 1Password Business, Vaultwarden) takes 2-3 days of setup + training. If you want a structured path for your SMB, get in touch: this is one of the areas I work on regularly.

Password hygiene at your company is a mess?

If your SMB still uses shared passwords in Excel, reused credentials across services, or lacks a centralized password manager, the compromise risk is high and measurable. I offer targeted consulting on enterprise password policy, migration to self-hosted password managers (Vaultwarden/Bitwarden), and audit of service credentials in use. 20+ years backend + applied cybersecurity.

Talk to me about password security