Generate a password
Use a password manager for generated passwords that are hard to memorize.
Password preset, length 20, lowercase + uppercase + numbers + symbols
A 20-character random password
Generate random strings, passwords, API-style tokens, hex values, and Base64URL-safe strings locally with Web Crypto.
Generate random strings for passwords, API-style tokens, hex values, Base64URL-safe identifiers, or custom alphabets without sending the generated value to a server. Generation uses the browser Web Crypto API, and the default Movement mode mixes local pointer movement into fresh random bytes.
Runs locally in your browser. Generated values, settings, and movement samples are not uploaded.Generated strings will appear here.
Mode: Movement-assisted Web Crypto Alphabet size: 88 Length: 20 Estimated entropy: 129.2 bits per string Movement blocks: 3 (7 + 7 + 6 characters) Current green zone: 421 movement complexity points Movement samples are mixed locally and discarded after each block.
Copy patterns and edge cases worth checking.
Use a password manager for generated passwords that are hard to memorize.
Password preset, length 20, lowercase + uppercase + numbers + symbols
A 20-character random password
Base64URL-safe strings are useful when a token must fit cleanly in URLs or config values.
Base64URL preset, length 32
A 32-character token using A-Z, a-z, 0-9, hyphen, and underscore
Short answers before you paste real data.
No. Generation uses crypto.getRandomValues from the browser Web Crypto API. Character selection uses rejection sampling to avoid modulo bias.
No. Movement mode mixes local pointer samples with fresh Web Crypto bytes. The browser cryptographic random source remains the main source of security.
No. Generated values, custom alphabets, settings, and movement samples stay in the browser session and are not sent to servers or external APIs.
Useful next steps that also run locally in your browser.
Encode text to Base64 or decode Base64 back to UTF-8 safely in your browser.
Decode JWT headers and payloads, inspect claims, or encode unsigned and HMAC-signed JWTs locally in your browser.
Encode UTF-8 text to binary bytes or decode binary back to text locally in your browser.