How this password generator works
Every password is built using crypto.getRandomValues(), the cryptographically secure random number generator built into modern browsers. Nothing is ever sent to a server — your password is created and stays on your device.
What makes a password strong?
- Length first. A 16-character password is exponentially harder to brute-force than a 12-character one.
- Variety of characters. Mixing lowercase, uppercase, numbers and symbols multiplies the keyspace.
- True randomness. Avoid words, patterns, or anything tied to you. This generator uses cryptographic randomness — not a predictable algorithm.
- Unique per account. Reusing passwords means one breach compromises multiple accounts. A password manager helps.
Should I exclude similar characters?
If you'll need to type the password by hand or read it aloud, enable Exclude similar to remove characters that look alike (i, l, 1, L, o, 0, O). For passwords pasted into a manager, leave it off — more entropy is better.
Is this safe?
Yes. The password is generated locally in your browser, never transmitted, and not stored. You can verify this by opening your browser's network inspector — you'll see no requests when generating.
How long would it take to crack your password?
The only variable that truly matters is entropy — the number of combinations an attacker must try. It depends on length and character set. Here are rough orders of magnitude for an offline brute-force attack on a modern hash (2026 estimate, ~100 billion guesses per second on a GPU):
- 8 characters (lowercase + digits): cracked in seconds.
- 12 characters (all 4 types): several centuries.
- 16 characters (all 4 types): far beyond the age of the universe.
That's why the default is 16 characters with every type enabled: it puts your password out of reach of any known brute force, without making it unmanageable.
Three mistakes that cancel out a good length
- The human pattern. "Password2026!" is 15 characters but sits in every attack dictionary: length is useless if the structure is predictable. This tool's randomness removes that risk.
- Reuse. A perfect password loses all value if it guards ten accounts: a single breach opens them all. Check your existing passwords with our leak checker.
- Memorising it. A truly random password can't be memorised — that's the point. Hand it to a password manager rather than a sticky note.
Frequently asked questions
Is this password generator really secure?
Yes. It uses crypto.getRandomValues(), the cryptographically secure random source built into modern browsers. The generation happens entirely on your device — nothing is sent over the network, so the password never leaves your browser.
Are the generated passwords stored or sent to a server?
No. SAW TOOLS runs 100% client-side. Your password is generated, displayed and copied locally. We have no backend that could store or log it. You can verify this by opening your browser's network inspector while generating.
What password length should I choose?
16 characters is a strong default for personal accounts. For sensitive accounts (bank, email, password manager master password), use 20 or more. Length matters more than complexity: a 20-character password is exponentially harder to brute-force than a 12-character one.
Can I generate passwords offline?
Yes. Once the page is loaded, the tool works fully offline. The random source is built into your browser, not fetched remotely. You can disconnect from the internet and continue generating passwords.
Do I need to sign up or pay to use this tool?
No. SAW TOOLS is free, requires no account, and has no usage limits. The site is funded by display advertising, not by your data.