The scenario that made me think about this
I was setting up a shared AWS IAM user for a contractor. The contractor needed temporary access to a specific S3 bucket for two weeks, after which the account would be disabled. I needed to generate a strong password, share it with the contractor over Slack, and also store it somewhere so I could verify it if needed.
My password manager (1Password) could generate the password — but do I store this in my personal vault or the shared team vault? The contractor gets access to their own copy, but now there are two copies, and neither is the right long-term home for a temporary credential. I ended up generating it with the browser generator, storing a note in our team wiki with a reference, and revoking the IAM user entirely after two weeks rather than managing an orphaned credential in a password manager.
What a password manager actually does
Password managers solve the problem of remembering and auto-filling passwords across devices and browsers. Their core value is:
- You have one master password to remember. All others are generated and stored for you.
- The browser extension detects login forms and fills credentials automatically. No copy-pasting.
- Credentials sync across your devices via an encrypted vault. Change a password on your laptop, it appears on your phone.
- They alert you when a stored password is found in a breach database.
Password managers are the right choice for personal accounts you log into regularly — your email, your banking app, GitHub, your streaming services, everything in your personal digital life.
What a browser password generator does
A browser password generator (like the one on this site) generates a cryptographically random password on demand, shows it to you, and does nothing else. It does not store the password. It does not remember the site it was for. It does not sync. It does not auto-fill.
Technically, the randomness comes from window.crypto.getRandomValues(), which is the browser's cryptographically secure pseudorandom number generator (CSPRNG) — the same entropy source used by cryptographic libraries. The output is as random as anything a password manager generates.
Five scenarios where the browser generator is the right tool
1. Temporary credentials you'll revoke
Contractor access, test accounts, staging environment credentials, temporary API keys for a one-time integration. These are credentials with a defined end-of-life. Storing them in a password manager creates clutter and risk — you'll forget to delete them, they'll sit in your vault long after the account is deactivated, and they'll confuse your breach monitoring with false positives.
Better: generate the password in the browser, share it via your team's secure channel, revoke it on schedule, and never enter it into any vault.
2. Shared credentials that belong in a team wiki or secrets manager, not a personal vault
Shared service accounts — a social media login for a marketing team, a shared email inbox password, a WiFi password for an office — shouldn't live in anyone's personal password manager. They belong in a team vault (1Password Teams, Bitwarden for Business) or a proper secrets manager (AWS Secrets Manager, HashiCorp Vault). If you're in a situation where the right home for the credential isn't your personal vault, generate the password first, then put it where it belongs.
3. Someone else's account you're helping set up
Helping a parent set up their first email account, onboarding a new team member, resetting credentials for a user. You generate the password, hand it to them, and they put it in their own password manager or change it on first login. This password should never enter your vault — you don't own the account.
4. A device or system with no password manager installed
A new laptop before you've installed your tools, a work computer with restricted software installs, a shared computer. The browser generator works anywhere a browser works — no install, no account, no delay.
5. Generating a master password for a new password manager
You can't store your password manager's master password in your password manager. When setting up a new vault, generate the master password using the browser tool with maximum length and complexity, write it down on paper, and store the paper somewhere secure (a locked drawer, a safe, or handed to a family member for emergency access). This is the one password worth writing down.
Password strength: what actually matters
Both browser generators and password managers produce strong passwords, but it's worth understanding what "strong" means numerically:
| Password type | Entropy | Brute force (1B guesses/sec) |
|---|---|---|
| 8-char lowercase only | ~38 bits | 5 minutes |
| 12-char mixed (upper, lower, digits) | ~71 bits | 74 years |
| 16-char mixed with symbols | ~104 bits | Heat death of the universe |
| 20-char mixed with symbols | ~130 bits | Irrelevant |
Any password over 16 characters with mixed character types is practically uncrackable by brute force. The threat for most people is not brute force — it's phishing, reuse across sites, and breached databases. A password manager protects against reuse (every site gets a unique password). A browser generator gives you a strong, unique password for the specific session — you still need to handle storage and reuse risk yourself.
One thing password managers do that generators can't
Password managers can detect when you're on a phishing site — if you saved a credential for paypal.com and the extension sees you're on paypa1.com, it won't auto-fill. This is a meaningful phishing defense. Browser generators don't help here at all; they have no concept of which site a password belongs to.
My actual setup
I use 1Password for personal accounts and recurring logins. I use the browser generator for temporary credentials, contractor access, accounts I'm setting up for other people, and any password that's going directly into a secrets manager rather than a vault. Both tools are useful; the mistake is using the wrong one for the job.
Generate a password now with the password generator — set to at least 16 characters with symbols enabled.
Related tools
- Password Generator — cryptographically random passwords up to 128 characters, with symbols, digits, uppercase, or any combination.
- Password Strength Checker — check how strong an existing password is against common attacks.
- Hash Generator — generate SHA-256 or bcrypt hashes for passwords before storing them in a database.
Written by Achraf A., founder of TheFreeAITools — built in Morocco. I use 1Password personally; this article is not sponsored by any password manager.