iGotTools

Generate Strong Passwords and Tokens

A strong password generator that runs in your browser. Create passwords, passphrases, and hex tokens with Web Crypto and never send your secret to a server.

Developer tools

A password you can remember is usually a password someone can guess — and a password reused across sites is a breach waiting to happen. The fix is to let a generator produce long, random secrets for you, and to store them in a password manager so you never have to recall them. The Password & Token Generator builds passwords, passphrases, and hex tokens locally with Web Crypto, so the value is created on your device and never touches a server.

TL;DR

You can produce strong, random secrets without trusting any website with them.

  • Three modes in one tool — passwords, memorable passphrases, and hex tokens for API keys.
  • Nothing uploaded — generation runs entirely in your browser through the Web Crypto API.
  • Strength you can see — each value gets an entropy-based Strength readout (Weak / Good / Strong).

What makes a password strong

Strength comes from two things working together: length and unpredictability. Of the two, length matters far more than sprinkling in symbols.

  • Length is the dominant factor. Every extra character multiplies the number of possibilities an attacker must search. A 16-character random password is astronomically harder to crack than a cleverly chosen 8-character one. NIST guidance pushes toward longer secrets — 15+ characters is a reasonable floor for important accounts.
  • Randomness beats human choice. People “add a number and a symbol” in predictable places (Password1!), which attackers know. True randomness — each character drawn independently — is what makes a value hard to guess.
  • Entropy measures it. Entropy, in bits, is roughly log2(charset size) × length. The tool computes this for you and maps it to Weak / Good / Strong. More characters and a larger character set both raise entropy.

The practical rule: make it long, make it random, make it unique per site, and let a manager remember it.

Password vs passphrase vs token

The generator offers three modes, and each suits a different job:

  • Password — a string of random characters (lowercase, uppercase, numbers, symbols). Best when a machine stores it for you. Long and dense equals strong; the downside is it’s untypeable, which is fine because you’ll paste it.
  • Passphrase — several random words joined by a separator (default -, e.g. canyon-ember-river-quartz). Four or more random words are both memorable and strong, because the word list is large and each word adds significant entropy. This is the best choice for a master password or anything you must type and remember.
  • Token — a lowercase hex string (the characters 0–9 and a–f). Tokens are for machine-to-machine secrets: API keys, client secrets, session identifiers. They’re not meant to be typed by humans; they’re meant to be copied into a config file.

Pick password for everyday accounts, passphrase for something you’ll hold in your head, and token for programmatic credentials.

Step-by-step: generate a secret

Open the Password & Token Generator and follow this flow.

  1. Pick a mode. At the top choose Password, Token, or Passphrase. The controls below change to match.
  2. Set the shape.
    • In Password mode, drag the Length slider (4–128, default 16) and toggle the character sets — Lowercase, Uppercase, Numbers, Symbols, and Exclude ambiguous characters (which drops look-alikes like 0/O and 1/l).
    • In Token mode, set Length (4–128, default 32). Tokens are always lowercase hex; there are no character-set or format options.
    • In Passphrase mode, set Words (3–12, default 4) and type a Separator (up to 4 characters, default -).
  3. Set the Count (1–50) if you want several values at once.
  4. Press Generate. The results appear in a list. Each value shows a Strength label — Weak, Good, or Strong — based on its entropy.
  5. Copy what you need. Use the per-row Copy to grab one value, Regenerate to redraw a single row, Copy all for everything, or Clear to start over.

If your browser lacks Web Crypto (rare, but possible in insecure contexts), the tool disables generation with a warning rather than falling back to a weak random source.

Why local generation matters

Generating a password “online” usually means the website’s server produces it and sends it back to you — which means the server saw it. Even honest sites log requests; compromised or malicious ones can record every value they generate. That copy, sitting in a log somewhere, defeats the entire purpose of a strong password.

The Web Crypto API (crypto.getRandomValues) flips this: the randomness is produced inside your browser and the finished value goes straight to your clipboard. There is no request carrying the secret, no server that ever sees it, and no log entry to leak. For something you’ll trust with an account, that’s the property you want.

Limits and honesty

A few constraints worth knowing, so the tool is what you expect:

  • Token mode is hex-only. Tokens are always lowercase hexadecimal (0123456789abcdef). There are no uppercase, braces, or hyphen-format toggles — if you need a different format, transform the hex after copying.
  • Passphrase words come from a fixed list. The 24-word list is short by design (memorable words), so passphrase entropy comes mostly from count, not from a huge vocabulary. Use 4+ words for anything sensitive.
  • Bounded ranges. Count tops out at 50 per generate, and password/token length runs 4–128. These cover realistic use; the tool isn’t a bulk secrets pipeline.

FAQ

Is it safe to generate passwords online?

It depends entirely on where the generation happens. If a server builds the password and sends it back, that server has seen your secret, and you’re trusting it not to log or leak. This tool generates locally in your browser using Web Crypto, so the value is created on your device and never transmitted. For credentials, local generation is the safe default.

Should I use a passphrase or a password?

Use a passphrase when you need to remember and type it yourself — a master password, a disk-encryption passphrase, a device login. Four or more random words are memorable and strong. Use a password (dense random characters) when a manager stores it and you’ll only ever paste it, since it maximizes entropy per character but is impossible to memorize.

What’s a token versus a password?

A token here is a lowercase hex string meant for machines — an API key, a client secret, a session identifier you paste into a config file. A password is a mixed-character string meant (originally) for humans to authenticate with. Tokens are uniform hex precisely because they don’t need to be typed or remembered, only copied.

How strong is strong enough?

For important accounts, aim for the Strong band — roughly 80+ bits of entropy, which a 16-character password with a full character set or a 5–6 word passphrase comfortably exceeds. For low-stakes logins, Good is acceptable. Avoid Weak for anything you care about; it usually means the value is too short or the character set too narrow.

iGotTools

Start with this tool

Get started