Everything runs on your machine — your input is processed right here in your browser and never uploaded to any server.

Database Password Generator

Default policy: validate_password MEDIUM — servers may be configured stricter. · Entropy ~97 bits

About this tool

A database password is the one secret you should never type into a random website — most online generators produce the password on their server, or at least could. This one is different by construction: the password is generated by your own browser with the cryptographically secure crypto.getRandomValues API, validated locally, and never transmitted anywhere.

It also knows what databases actually demand. Pick MySQL, PostgreSQL, SQL Server, or MongoDB and every generated password satisfies that engine's default policy — and the checker shows rule-by-rule why any password passes or fails. The connection-string safe mode avoids the characters (@ : / ? # and friends) that silently break Mongo URIs, SQL Server connection strings, and shell exports.

How to use

  1. Pick your database — the policy checklist and defaults adjust to it.
  2. Set the length and, if the password will live in a connection string or shell variable, keep the safe-characters option on.
  3. Copy the generated password, or regenerate for a fresh one — the checklist below confirms it against the selected policy.
  4. To audit an existing password, paste it into "Check a password" — each policy rule shows an individual pass or fail, and the optional username field powers the "must not contain the account name" rules.

Generation and validation run entirely in your browser tab. No password, generated or pasted, is ever sent, stored, or logged anywhere — turn off your network and the tool keeps working.

Frequently asked questions

Which policies exactly are validated?

The engine defaults: MySQL's validate_password MEDIUM level, PostgreSQL's passwordcheck module, SQL Server's Windows CHECK_POLICY complexity, and MongoDB Atlas's minimum length plus URI-safe characters. Deployments can be configured stricter — the tool tells you which baseline it is checking.

Why do some characters break connection strings?

Characters like @ : / ? # [ ] have structural meaning in connection URIs, and ; or quotes break key-value connection strings and shell commands. They are legal in passwords but must be escaped everywhere they are used — the safe mode simply avoids them so the password works pasted anywhere.

How strong are the generated passwords?

They are drawn uniformly (rejection sampling, no modulo bias) from your browser's cryptographic random source, with the entropy shown in bits: a 16-character password from the full character set carries roughly 100 bits — far beyond any practical guessing attack.