Random Alphanumeric Password Generator
Why alphanumeric?
Alphanumeric passwords use 62 characters (26 lowercase + 26 uppercase + 10 digits) and are the most widely accepted format across systems. They avoid special characters that can cause issues with URL encoding, JSON strings, shell commands, CSV files, and older systems that don't handle symbols correctly.
With 62 possible characters per position, a 16-character alphanumeric password provides approximately 95 bits of entropy — more than sufficient for virtually any application.
Password strength
With a character set of 62, entropy scales with length:
| Length | Entropy | Possible combinations | Time to crack |
|---|---|---|---|
| 8 | ~48 bits | 218 trillion | Hours |
| 12 | ~71 bits | 3.2 × 10²¹ | Centuries |
| 16 | ~95 bits | 4.8 × 10²⁸ | Millennia |
| 32 | ~190 bits | 2.3 × 10⁵⁷ | Heat death of universe |
Crack times assume 100 billion guesses per second.
Use cases
- API keys and secret tokens for web services
- Database passwords that appear in connection strings
- Environment variables and configuration secrets
- URL-safe tokens for password reset links
- Session identifiers and authentication tokens
- General-purpose passwords for any account
How it works
- Your browser generates cryptographically secure random bytes using the Web Crypto API
- Each byte is mapped to one of 62 characters (a–z, A–Z, 0–9) using modular arithmetic
- Characters are assembled into a password of your specified length
- The password exists only in your browser — nothing is sent to any server
Frequently asked questions
Why avoid special characters?
Special characters can break in certain contexts: shell scripts interpret $, !, and & as operators; URLs require percent-encoding for most symbols; some databases and APIs mishandle backslashes or quotes. Alphanumeric passwords avoid all these issues.
Is alphanumeric less secure than full-character?
Slightly, per character — but the difference is small. A 16-character alphanumeric password (~95 bits) is roughly equivalent to a 15-character full-charset password (~97 bits). Adding one more character more than compensates.
What length should I use for API keys?
32 characters is standard for API keys and tokens. This gives ~190 bits of entropy — far beyond what any brute-force attack could crack. For less sensitive tokens, 16 characters is sufficient.
Privacy and security
Your generated passwords never leave your device. This tool runs entirely in your browser using client-side JavaScript — no API calls, no server logs, no cookies, and no tracking of generated passwords. The source code is fully transparent and can be inspected in your browser's developer tools.