Does plaintxt see the passwords I generate?

No. Generation happens 100% in your browser using the Web Crypto API. There is no network request — nothing reaches our servers, ever.

Is this random enough to actually use?

Yes. It uses the Web Crypto API's cryptographically secure generator (crypto.getRandomValues), not Math.random(). It is suitable for real account passwords.

What password length should I pick?

16 characters is a solid floor; 20 or more if the site allows it. With a password manager, length costs you nothing — so go long.

$ plaintxt --gen-password

password generator

strong, random passwords generated entirely in your browser. nothing is sent to a server.

// generate

weak0 bits

length20

lowercase a-z uppercase A-Z numbers 0-9 symbols !@#$ exclude look-alikes (0/O, 1/l)

// generated in your browser offline-safe

this tool uses your browser's built-in cryptographic randomness (crypto.getRandomValues) — the same standard used for real keys. the password is never transmitted, logged, or stored. you can disconnect from the internet and it still works. view source if you don't trust us — that's the point.

// what makes a password strong

length beats complexity. a long random password is exponentially harder to crack than a short "complex" one. aim for 16+ characters and a mix of character types. the number above is entropy — bits of true randomness. more bits = more guesses an attacker needs.

under 40 bits — weak, crackable fast

60–79 bits — strong for most uses

80+ bits — excellent, future-proof

// estimated time to crack

length (full set)	offline attack
8 chars	minutes
12 chars	centuries
16 chars	far past heat-death of the sun
20+ chars	not happening

assumes ~100 billion guesses/sec, all character types.

// tips for staying secure

use a unique password for every account — reuse is how one breach becomes ten.
store them in a password manager (Bitwarden, KeePassXC) — don't memorize, don't reuse.
turn on two-factor authentication wherever it's offered.
longer is stronger: a 20-character random password is overkill in the best way.
never paste a password into a site you reached from an email link — check the URL first.

// faq

Does plaintxt see the passwords I generate?: No. Generation happens 100% in your browser using the Web Crypto API. There is no network request — nothing reaches our servers, ever.
Is this random enough to actually use?: Yes. It uses the Web Crypto API's cryptographically secure generator (crypto.getRandomValues), not Math.random(). It is suitable for real account passwords.
What password length should I pick?: 16 characters is a solid floor; 20 or more if the site allows it. With a password manager, length costs you nothing — so go long.