Password Policy Generator

How to use

1. 1Pick a preset to start (NIST 800-63B, OWASP ASVS, Active Directory, PCI DSS, HIPAA, or strong consumer default) or choose Blank and toggle each rule from scratch.
2. 2Tune the length range, the required character classes, the per-class minimum counts, the symbol set, and the blocked-pattern rules (whitespace, common passwords, user-context substring, straight sequences, repeated characters).
3. 3Copy the plain-English policy text, the JavaScript regex literal, or the HTML pattern attribute. The HTML snippet section gives you a ready-to-paste <input> with pattern, minlength, maxlength, title, and autocomplete pre-filled.
4. 4Click Generate to produce sample compliant passwords with crypto.getRandomValues. Use them as test fixtures or share them with QA. The Count input controls how many you get.
5. 5Switch to Test passwords to validate a single candidate or paste a batch list. Each row shows Pass or Fail and the exact rule that failed, with a Copy report button for the tab-separated result.

About this tool

Password Policy Generator turns the choices a security or product team usually argues about (minimum length, character classes, block lists, sequences, repeats) into the four artifacts that actually ship: a plain-English policy document you can paste into a wiki or compliance binder, a regular expression you can drop into client-side or server-side validation, an HTML input snippet with the pattern, minlength, maxlength, autocomplete, and title attributes pre-filled, and a list of sample compliant passwords generated with crypto.getRandomValues so a tester or QA can copy a real password that proves the policy works. Every rule is configurable: minimum length, maximum length, required lowercase letters, required uppercase letters, required digits, required symbols (with a configurable symbol set, including the OWASP recommended set, an Active Directory complex set, a short URL-safe set, and an alphanumeric-only mode), per-class minimum counts, a whitespace ban, a common and leaked password block list (with case-insensitive matching and a small leet-speak normalization pass), a user-context substring ban (handy when the rule is the password must not contain the username or email local part), a straight-sequence ban with configurable length that catches qwerty, 12345, and abcdef, and a repeat-character ban with a configurable limit. The Test passwords panel runs the rules against a single candidate or a batch list of one-per-line candidates and shows a Pass or Fail badge plus the exact rule that failed for every row, so a security review or a help-desk triage can answer why does my password not work without guessing. Presets cover the common starting points: NIST 800-63B (the modern minimum 8, no composition, block-list common passwords recommendation), NIST 800-63B Strict (minimum 12), OWASP ASVS Level 1 and Level 2, the Active Directory default complex policy, PCI DSS 4.0, a HIPAA-aligned profile, a strong consumer default, and a blank starting point. The regex output emits a JavaScript literal with delimiters and flags and the partially-anchored HTML pattern attribute form the input element expects, and notes flag the rules that cannot be expressed in a single short regex (block list, straight sequences) so the team knows to mirror those checks on the server. Useful for sign-up forms, compliance documents, onboarding wikis, security policy generators, AD GPOs, identity providers, password manager corporate policies, and any place where the password rule needs to be written once and applied everywhere. Everything runs locally. The policy, the candidate passwords, the user-context word, and the sample compliant passwords stay in component state and are never uploaded.

Free to use. Works in your browser. No signup, no login.