Is it safe to use an online password generator?
It depends on one thing, and you can check it yourself in five seconds.
A password generated on your device, not ours
The question that actually decides it
Not "is this site reputable?" but: does the password come from your browser, or from their server? If a server generates it, that server saw your password. It may not log it. It may be run by careful people. But the secret existed, in plaintext, on a machine you do not control and cannot inspect, and it travelled back to you over a wire. No privacy policy converts that into a guarantee. If your browser generates it, the value never had to exist anywhere else — and that is a property you can verify rather than a promise you have to believe.
How to tell, in five seconds
Turn off your wifi and press generate. A client-side generator keeps working. A server-side one cannot. That single test cuts through every claim on every one of these sites, including ours — try it on this page right now.
The thorough version: open your browser's developer tools, go to the Network tab, and press generate. You should see no request. On this site you will see none at generation time; on page load you will see our self-hosted, cookie-less analytics, which counts page views and which generator type gets copied, and never a generated value. We would rather tell you that than claim a zero we do not have.
This is not hypothetical
The second-ranking result for "random password generator" today is RANDOM.ORG, which generates server-side — and to its considerable credit, it says so plainly and advises you not to use it for anything important: its own guidance is that the best practice is not to let anyone but yourself generate your most important passwords. That is an honest site giving correct advice about its own architecture. Take it: the advice is right, and the reason it is right is precisely the one above. Most sites in the same position simply don't mention it.
The residual risk, stated plainly
Client-side generation does not make the question disappear, it moves it. You are trusting that the JavaScript this page served you does what it claims — and the page is re-fetched every visit, so "I checked it last month" is not a proof. A malicious operator, or anyone who compromises the DNS or the CDN, could serve different code tomorrow. This is a real limit and you should hear it from us rather than discover it: it is exactly why the SSH page tells you to prefer ssh-keygen for a production key, and why we will never publish a crypto-wallet seed phrase generator. The threat model scales with the value of the secret.
So what should you do?
For everyday passwords, use your password manager's built-in generator — it is client-side, it is audited, and it fills the password in for you, which also protects you from phishing. That advice costs us traffic and it is still the right advice. Use a site like this one when you need a shape a manager does not offer: a hex secret, a base64 key, a JWT signing secret, a UUID. For a secret protecting something irreplaceable, generate it locally with a tool you installed. And whatever you pick — try the wifi test first.
Is it safe to use an online password generator?
It depends entirely on one thing: whether the password is generated in your browser or on the site's server. If a server generates it, that server saw your password in plaintext and no privacy policy changes that. If your browser generates it, the value never had to exist anywhere else — and you can verify which one you are dealing with rather than trusting a claim.
How can I tell if a generator is really client-side?
Turn off your wifi and press generate. A client-side generator keeps working; a server-side one cannot. For the thorough version, open your browser's Network tab and press generate — you should see no request at all. That test works on any site, including this one.
Is a password manager's generator better?
For everyday passwords, yes — and we will say so even though it costs us traffic. It is client-side, it is audited, and it fills the password in for you, which also protects you from phishing. Use a site like this one for shapes a manager does not offer: hex secrets, base64 keys, JWT signing secrets, UUIDs.
What's the catch with client-side generation?
You are trusting that the JavaScript served to you does what it claims, and the page is re-fetched on every visit — so "I checked it last month" proves nothing about today. A malicious operator, or anyone who compromises the DNS or CDN, could serve different code tomorrow. That is why a secret protecting something irreplaceable should be generated locally with a tool you installed.
Nothing leaves your browser
- Don't take our word for it — turn off your wifi. Every generator on this site keeps working with the network disconnected. That's the whole proof, and it takes five seconds.
- Every value comes from
crypto.getRandomValues()— the CSPRNG built into your browser, neverMath.random(). - Generated secrets are never transmitted, logged or stored: no server-side generation, no cookies, no localStorage.
- Verify it yourself in the network tab: after loading, the page only talks to our self-hosted, cookie-less analytics — which counts page views and which generator type gets copied, never any value.
- Strict Content-Security-Policy; no third-party script origins.