The free Vivlab password generator creates random, secure passwords right in your browser.
Pick the length and the characters: nothing is sent over the web.
Your password
Strength
Strong
How it works
Slide the cursor between 8 and 64 characters: the longer it is, the harder the password is to crack.
Turn on uppercase, lowercase, digits and symbols depending on what the site accepts.
A new password appears with every change; copy it in one click or roll again if you need to.
A password's strength doesn't come from one fancy character, but from the number of possible combinations. The longer it is and the more it mixes character types, the harder it gets to guess or crack.
Each extra character multiplies the number of combinations an attacker has to try. Aim for at least 16 characters: that often beats adding a symbol to a password that's too short.
Mixing uppercase, lowercase, numbers and symbols raises the entropy, meaning how unpredictable the password is. The higher the entropy, the lower the odds that a brute-force attack will succeed.
If a site gets hacked and you reuse the same password elsewhere, all of your accounts are suddenly at risk. A different password for each service keeps the damage to a single account.
Your password is created right in your browser, using a secure random generator. It's never sent to or stored on a server.
With two-factor authentication (MFA), a stolen password isn't enough on its own. A second proof is asked for at login: a code from an authenticator app, or a confirmation on your phone. Turn it on as soon as a service offers it.
A passkey replaces the password entirely with a cryptographic key tied to your device, unlocked by your fingerprint or your face. Nothing to memorize, nothing to type, and phishing stops working since there's no secret to steal.
Tip: since you can't memorize a unique, complex password for every service, use a password manager. It stores them encrypted and fills them in for you: all you have to remember is one master password.
A well-chosen password no longer protects you if the site holding it was hacked. Have I Been Pwned tracks known data breaches. Enter your email address to see whether it shows up in a leak, then change the affected passwords.
Frequently asked questions
How long should it be?
Aim for at least 12 characters, and 16 or more for a sensitive account like email or banking. Each extra character multiplies the number of possible combinations, so lengthening the password protects far more than adding a single symbol.
Is the draw really random?
Yes. The tool relies on crypto.getRandomValues, your browser's random generator built for cryptography, rather than an ordinary chance function. Each character is drawn independently from the set you ticked.
Is my password sent anywhere?
No, it is made locally in your browser and sent to no server. Nothing is stored: refresh the page and it's gone, which lets you copy it straight into your password manager.
Can I reuse the same password?
Better not. If one site is breached, a reused password opens the door to all your other accounts. Generate a different one per service and hand them to a password manager rather than your memory.
Why are symbols off by default?
Some sites still reject special characters or limit which ones they accept. Leaving them optional avoids a nasty surprise at submit time; tick them as soon as the service allows it, since they add strength.
Keep exploring