Password & Hash Generator

Cryptographically secure passwords with instant MD5, SHA-1 & SHA-256 — 100% client-side.

🔒 Nothing leaves your browser. Zero server contact. Ever.

Password Length 16 Hardcoded range: 4–128 characters. Character Sets

A–Z Uppercase a–z Lowercase 0–9 Digits !@#$% Symbols {}[]<> Extended 0–F Hex Only

Avoid Ambiguous Characters Auto-disabled in Hex Only mode — 0 and 1 are valid hex digits, not ambiguous look-alikes there.

Strength —

Generated Password

Hash Outputs — auto-updates on generate

MD5 (32 hex)

SHA-1 (40 hex)

SHA-256 (64 hex)

Hash Any String — paste your own text to hash it instantly

MD5

—

SHA-1

—

SHA-256

—

How Many Passwords max 200

Length

Output Format

Character Sets

A–Z a–z 0–9 Symbols

Generated Output

Configure and click Regenerate…

Bulk mode uses the same cryptographically unbiased randomness as single mode — every password is drawn independently, with no sequential pattern.

⚠️ What This Tool Doesn't Do — Read Before You Rely On It

Hardcoded length limits: passwords are capped at 4–128 characters, and bulk generation is capped at 200 passwords per run. These ceilings aren't configurable — they're there to keep the page fast and lightweight in your browser.
No password-storage hashing: MD5 and SHA-1/256 are fast, general-purpose hash functions for checksums, deduplication, or legacy compatibility. They are not suitable for storing real user passwords. A real system should use a slow, salted algorithm like bcrypt, scrypt, or Argon2 on the server — this tool does not and cannot do that for you.
No custom salt field: an earlier version of this tool let you type a fixed "salt" prefix into the password itself. We removed it — a real cryptographic salt must be random, unique per credential, and stored alongside the hash server-side. A static value typed into a browser field doesn't provide that protection, and keeping the field would have implied a security guarantee this tool can't deliver.
Requires a secure context (HTTPS) for SHA-1/SHA-256: those hashes use the browser's native Web Crypto API, which browsers only expose over HTTPS (or localhost). If you ever load this page over plain HTTP, SHA-1 and SHA-256 fields will show "Unavailable" instead of silently failing. MD5 still works either way, since it's implemented in plain JavaScript rather than relying on that API.
Clipboard copy isn't guaranteed: some browsers block clipboard access without a secure context or explicit permission. The Copy buttons fall back to a legacy copy method automatically; if both fail, the button will flash to indicate the copy didn't go through so you're never left thinking something copied when it didn't.
Nothing is saved: there's no history, no storage, no account. Refresh the page and everything generated here is gone for good — copy or download what you need before you navigate away.
Entropy is a theoretical estimate, not a crackability guarantee: the bits-of-entropy figure assumes the password is used nowhere else and isn't part of a leaked dataset. It does not check against breached-password lists or common patterns.

About This Tool

All generation and hashing happens entirely in your browser using the Web Crypto API and a locally-run MD5 implementation. No data is sent anywhere, no logs are kept, and refreshing the page clears everything.

Why use the Web Crypto API for randomness?

crypto.getRandomValues() draws from OS-level entropy — far stronger than Math.random(), which is predictable. We also apply rejection sampling on top of it so every character in your password is equally likely, with no statistical bias toward any particular character.

MD5 vs SHA-256 — which should I use?

MD5 and SHA-1 are broken for security purposes — use them only for checksums or compatibility with legacy systems. SHA-256 is the modern standard for data integrity and is the one to reach for by default.

What is a salt, really?

A salt is a random value unique to each password, combined with it before hashing so identical passwords never produce identical hashes — this is what defeats rainbow-table attacks. It has to be generated randomly and stored server-side per credential; see the limitations section above for why this tool doesn't offer a salt field.

What does the entropy score mean?

Entropy (bits) = log2(charset size) × length. Above 60 bits is generally considered strong, and above 100 bits is effectively unbreakable with current hardware. A 16-character password mixing letters, digits, and symbols lands around 100 bits.

Bulk mode use cases

Generate one-time tokens, API keys, test-data seeds, or temporary user passwords in seconds. Export as CSV — passwords containing commas or quotes are automatically quoted so the file still opens cleanly in a spreadsheet.

Custom string hasher

Quickly verify checksums, hash text for comparison, or test your own hashing pipeline without leaving the page. Supports UTF-8 input, including non-English characters and emoji.