How long should my password be?

20 characters is the modern default for most accounts. For a password manager master password that you cannot easily reset, 25 to 30 characters with a long passphrase is safer. Length adds entropy faster than any character class.

Should I use symbols or stick to alphanumeric?

Both work if the length is sufficient. Symbols add a bit of entropy per character, but they also break some legacy systems. If you can use symbols, do. If not, just add a few more characters.

Is the generator predictable?

No. The output uses the browser's cryptographic random generator. An attacker watching every keystroke cannot predict what you will get on the next click.

Can I generate a passphrase instead?

Yes. The passphrase mode picks words from a curated list and joins them with separators. A 5-word passphrase is roughly as strong as a 15-character random password and is far easier to type.

Is my password sent anywhere?

No. Generation runs locally in your browser. The Network tab will show zero outbound requests during generation, and the password is never stored.

Password Generator — Free Online Tool

Generate strong, configurable passwords in your browser. Toova lets you pick length and complexity rules, exclude ambiguous characters, and create passphrases or random strings — all without ever sending the result to a server.

Length matters more than complexity

A 16-character password from a mixed alphabet is stronger than a 12-character one with required symbols. Toova defaults to 20 characters because that is the modern sweet spot for entropy versus typing pain — but the slider goes higher when you need stronger keys for a vault or root account. Length is the single most important factor in resisting brute-force attacks, more than any specific character class rule.

Character classes and exclusions

Toggle lowercase, uppercase, digits, and symbols independently. Pick a custom symbol set for environments that reject certain characters (databases, legacy systems, copy-pasted into shells). Exclude ambiguous characters — 0/O, 1/l/I, |/I — for passwords that humans will read or type. The generator never includes a class that is toggled off, and respects minimum counts per class when you set them.

Cryptographically random, locally

Every password is drawn from the browser's secure random source, the same one used to derive TLS session keys. The output is unpredictable and not derived from any guessable seed. Generation runs entirely in your browser — no API call, no logging, no analytics on the password itself. You can verify zero outbound requests in DevTools while you generate.

Frequently Asked Questions

How long should my password be?: 20 characters is the modern default for most accounts. For a password manager master password that you cannot easily reset, 25 to 30 characters with a long passphrase is safer. Length adds entropy faster than any character class.
Should I use symbols or stick to alphanumeric?: Both work if the length is sufficient. Symbols add a bit of entropy per character, but they also break some legacy systems. If you can use symbols, do. If not, just add a few more characters.
Is the generator predictable?: No. The output uses the browser's cryptographic random generator. An attacker watching every keystroke cannot predict what you will get on the next click.
Can I generate a passphrase instead?: Yes. The passphrase mode picks words from a curated list and joins them with separators. A 5-word passphrase is roughly as strong as a 15-character random password and is far easier to type.
Is my password sent anywhere?: No. Generation runs locally in your browser. The Network tab will show zero outbound requests during generation, and the password is never stored.

Strong Password Generator

Length matters more than complexity

Character classes and exclusions

Cryptographically random, locally

Frequently Asked Questions