Password Generator

How Secure Password Generation Works

A strong password needs cryptographic randomness, not a JavaScript Math.random() call. Toolkiya uses window.crypto.getRandomValues, the Web Crypto API's CSPRNG, to fill a Uint8Array with random bytes, then maps each byte to a character in the allowed alphabet using rejection sampling so the distribution stays uniform.

You choose the length and which character classes to include — lowercase, uppercase, digits, symbols — and optionally exclude visually ambiguous characters (0/O, 1/l, I). The generator computes the entropy of the resulting password in bits (log2 of alphabet size times length) and displays it so you can confirm the password is strong enough for the threat model. Generation happens entirely in your browser, and no password is ever transmitted, logged, or stored.

When to Generate a Password

Creating a new account on a service that supports a password manager. Rotating credentials after a breach notification. Generating an initial password for a new user before they reset it. Producing a random API key, recovery phrase fragment, or one-time-use share link. Replacing weak passwords flagged by a security audit. Creating throwaway credentials for a test environment.

Why Generate Passwords in Toolkiya

Any password generator that runs on a server is, by definition, a place your future passwords briefly exist on someone else's hardware. Toolkiya generates everything client-side using the browser's Web Crypto API, so the password lives only in your tab's memory until you copy it.

There is no signup, no rate limit, no daily quota, and no logging. The page works offline once loaded — you can disconnect your network, generate a password, and reconnect, and the result is identical. Nothing about the password ever touches a network.

Tips for Strong Passwords

Aim for at least 16 characters with mixed classes, which gives roughly 100 bits of entropy — comfortably beyond brute-force reach. Always store generated passwords in a password manager rather than reusing them. Exclude ambiguous characters only if you will type the password by hand. For high-value accounts, layer the strong password with a hardware security key or TOTP — strength alone does not stop phishing.