Password Generator
Generate cryptographically secure passwords for your apps, services, and infrastructure. 100% client-side, powered by Web Crypto API. Nothing leaves your browser.
DID YOU KNOW?
According to Have I Been Pwned, over 24 billion credential pairs have been leaked. The most common password in breaches is still '123456'. A cryptographically random 20-character password has never appeared in any known breach database.
A password generator built for developers
Why developers need a password generator
Developers don't just need passwords for email accounts. You need them for database credentials, admin panels, service accounts, staging environments, and CI/CD pipelines. Each one needs to be unique, random, and strong. A password generator removes the temptation to reuse 'admin123' across your dev, staging, and production environments. Generate once, store in a vault, and never think about it again.
Understanding password entropy
Entropy measures how unpredictable a password is, in bits. A 20-character password using uppercase, lowercase, numbers, and symbols has ~130 bits of entropy — meaning an attacker would need to try 2¹³⁰ combinations to guarantee cracking it. For reference: 40 bits is crackable in seconds, 60 bits takes days, 80 bits takes years, and 128+ bits is computationally infeasible with current hardware. This generator shows the exact entropy so you can make informed decisions, not guess.
Passwords vs API keys vs tokens
Not all secrets are the same. Passwords authenticate humans to services. API keys authenticate applications to APIs — they're typically longer, alphanumeric, and often prefixed (sk_live_, ghp_). JWT secrets sign tokens and need high entropy (256+ bits). Encryption keys protect data at rest and must be exact sizes (128 or 256 bits for AES). Each type has different requirements. Coming soon: dedicated generators for API keys, JWT secrets, and encryption keys.
Stop committing secrets to .env files
Every developer has done it: generated a password, pasted it into a .env file, and accidentally committed it to git. Even if you .gitignore your .env, the file lives unencrypted on your disk, gets copied between machines, and has no audit trail of who accessed it. SecureCodeHQ encrypts every secret with AES-256-GCM, logs every access, and lets Claude Code read them via MCP without ever exposing values in the conversation.
More developer security tools
Password generator FAQ
Use a cryptographically secure random number generator like the Web Crypto API (crypto.getRandomValues), which this tool uses. Never use Math.random() — it's predictable and not suitable for security. Maximize length (20+ characters), include all character types, and don't modify the result to make it easier to remember.
It depends on the threat model. For online accounts with rate limiting, 40-60 bits is often sufficient. For offline attacks (like cracking a hashed password dump), aim for 80+ bits. For secrets that protect other secrets (like a master password or JWT signing key), 128+ bits is recommended. This generator shows the exact entropy so you can calibrate to your needs.
For local development, .env files are convenient but risky. They're unencrypted, easy to accidentally commit to git, and have no access logging. For production, never use .env files. Use a secrets manager like SecureCodeHQ that encrypts values, provides audit trails, and integrates with your development tools.
Passwords authenticate humans and are typically shorter (12-32 characters). API keys authenticate applications and are usually longer (32-64 characters), alphanumeric, and often include a prefix like 'sk_live_' to identify the service. API keys don't need to be memorizable — they should be stored in a vault and accessed programmatically.
Yes. The Web Crypto API uses the operating system's cryptographic random number generator (like /dev/urandom on Linux or CryptGenRandom on Windows). It's the same source of randomness used by TLS, SSH, and other security protocols. Every major browser implements it, and it's the recommended way to generate secure random values in JavaScript.
SecureCodeHQ provides an MCP server that Claude Code can use to read your secrets securely. The values are never exposed in the AI conversation — they're injected into temporary files that Claude references by path. Every access is logged with timestamps, IP addresses, and the AI model used. You set it up once with 6 lines of config.
Yes. This generator runs 100% in your browser using the Web Crypto API. No passwords are sent to any server, no network requests are made during generation. Once the page is loaded, you can disconnect from the internet and continue generating passwords. You can verify this by checking your browser's Network tab.
Generated a password? Don't paste it in a .env file.
SecureCodeHQ encrypts and organizes your passwords, API keys, and tokens. Access them from Claude Code via MCP, your browser, or the TypeScript SDK.