Security

Secure password generator

120 random passwords generated with the Unbiased Random Selection method (OS CSPRNG with rejection sampling). Lengths from 32 down to 10 characters. Click any password to copy it to clipboard.

ASCII format passwords

The most secure: 85-character printable charset, ~6.4 bit/char entropy. A 30-character ASCII password requires roughly 41 trillion years to brute-force on offline GPU rigs. Use these for critical services: server access, master keys, admin accounts.

Charset: !"#$%&'()*+,-./23456789:;<=>?@ABCDEFGHJKMNPQRSTUVWXYZ[\]^_`abcdefghjkmnpqrstuvwxyz{|}~

32 characters

J)$uTESYBX+2<e<X~7xMS>(:PemaBAn%

;\8{Z%v>[A]]~$/)mCtF?^4))pVqU}(3

Wh':UH4mvAnFb?~zvePaw?H;]cafW5U=

<XFR2*6/*t#.7hC!Up^FC,''j#Dt@2(_

wrApY'D)&@,CH]`TZ(};Ke+j2j&=V|#x

24 characters

NVWrD39,zv&q&S}B`V.`zKs^

~ET<Z(X(\Q&r.9u3){32S36t

(=DCcbaVR+f6EPf[bfg[$@8S

2j5tUesE"X]!e&$(2)|2Fg(9

`fbM!HKd5"ke{J[PuCYE.E5+

20 characters

^q^|tVah;F#f2u[6a|,#

[&}2bNv7@"(~f{,tgaww

>]-Qy`9B6txpP.q|4CnU

NG"$BQ)ppAx)^+w`m)X6

}(%%RAS!MJC-h!cUd[;$

16 characters

y@@7H85YU><Tk&BG

RXFGxf4H%!]aTX_j

p]Ga6Xrd*&GuetH{

S3Z\D}]k7-YgcGC4

D?Jh'K^W2$V>8H}~

12 characters

nKBnzg9^A(-R

e]"dq&*,2"_%

)F*M(c_aC4m#

#Zb&4es[qcR.

M`R,@7=Ds?;a

10 characters

*`&N9yhv/<

8"huYAWr"Z

4VDtc$=-^<

@S`Apyt2tM

4YRP@e-?#w

Alphanumeric format passwords

Reduced charset (54 characters): more readable and typable, lower entropy per symbol. OK for services that forbid special characters. For everything else, prefer ASCII above.

Charset: ABCDEFGHJKMNPQRSTUVWXYZabcdefghjkmnpqrstuvwxyz23456789

32 characters

q5png5ayNx2v9p2dNAew5mjj8CnqPxEC

ZnQJA6mHrJSHC3xMWcBw39Syejf2bQWF

YgyfQk6JjGHmkDtApCtSHYW5kYnvMTZw

khScuduhcByKUhXcR38p9bhedJtvT7PY

BMtctdfrrXRQ69A9EW7eZhTBHP9DPkhr

24 characters

XHxegJ2p7N6df5gA4cvvCn7m

AQq59bmhVwPHrBnGUvXmuk9T

CXwTGP7NAtZGwsA7uuEuMH2K

HXCfNkwmxKJMyhKcatg7Mds4

nhVPz2DqwP4vy2nM65uy92FB

20 characters

jw5yFPEtkBXQDAHFFKKX

SY2Dr3D7SmH8WTYdk6z6

AzGTQpQHaWxjGUQSBgXd

247yrQgkV4UqsGfxJB8c

W75m94Ger7CZWWn3rF8z

16 characters

w7APuV5h3E4RX3am

Zw2gv7WytDTqrkxr

ueRz5VrndeYyZrBH

CnU9VUfdBfvBEbSd

hzhgbVvn8q3xSgxs

12 characters

nVfpxpvrrbB3

DzHkuCA38N3M

WC6ruSqYpvYx

TXfpdpwqBMEC

YA3Xw99QASUW

10 characters

UdYWqmhxXK

YhSzaBxvFy

Dx83QPNcYd

9trftgnV89

cew9hmdVTb

Why these passwords are genuinely secure

Generation uses unbiased random sampling via PHP's random_int(), which calls into the OS CSPRNG (/dev/urandom on Linux, equivalents on other OSes), with rejection sampling that avoids the modulo bias many artisan generators get wrong: every character has probability exactly 1/|charset|. On 20 ASCII characters the real entropy is 128 bits. For comparison, a "strong" password picked by a human typically has 30-50 bits of entropy and is brute-forceable in hours on modern GPUs. The passwords served on the page exist only in the HTML sent to your browser: they are not logged, not persisted anywhere, and do not survive page reload.

Frequently asked questions

How long is a truly secure password in 2026?

Personal accounts: at least 16 ASCII characters (roughly 100 bits of entropy). SSH servers, API keys, admin accounts: 24-32 characters. The real security factor is total entropy, not character class: a 30-char ASCII password is more secure than a 12-char password with 'mandatory symbols'.

Why don't the passwords contain '0', '1', 'l', 'I', 'O'?

Visual ambiguity. If you have to read or type the password by hand (on mobile, on a serial console, on a remote terminal), lookalike characters cause errors. Excluding 5 chars out of 94 only changes per-char entropy by ~0.08 bits, negligible compared to total length.

Are generated passwords logged or sent anywhere?

No. The PHP that generates passwords runs server-side in an isolated process, doesn't log output, doesn't store anywhere. Every page reload produces 120 fresh passwords that only exist in the HTML served to you. HTTPS always.

Is random_int() really secure?

Yes. In PHP 8.x, random_int() internally uses the OS CSPRNG (/dev/urandom on Linux, equivalents on other OSes): the same entropy source that backs standard cryptographic tooling. The implementation applies rejection sampling to avoid modulo bias, a critical detail many artisan generators get wrong and which leads to non-uniform character distributions across the charset.

Can I use these passwords for encryption or API keys?

For account and service passwords they are fit for purpose. For cryptographic keys (AES, RSA, ECDSA) no: keys must be generated directly with the crypto library that will use them, in the format and length specific to the algorithm. Using an ASCII password as a crypto key introduces an unnecessary KDF derivation, typically done wrong.

What if I work at a company where passwords are shared in an Excel file?

Very common, very risky, very fixable. Migrating to an enterprise password manager (self-hosted Bitwarden, 1Password Business, Vaultwarden) takes 2-3 days of setup + training. If you want a structured path for your SMB, get in touch: this is one of the areas I work on regularly.

Password hygiene at your company is a mess?

If your SMB still uses shared passwords in Excel, reused credentials across services, or lacks a centralized password manager, the compromise risk is high and measurable. I offer targeted consulting on enterprise password policy, migration to self-hosted password managers (Vaultwarden/Bitwarden), and audit of service credentials in use. 20+ years backend + applied cybersecurity.

Talk to me about password security