Password Generator

How It Works

All randomness comes from crypto.getRandomValues(), a cryptographically secure pseudo-random number generator (CSPRNG) built into every modern browser. Passwords are generated entirely in your browser — nothing is ever sent to a server.

Entropy measures how unpredictable a password is. Password entropy is length × log₂(pool size). A 16-character password using all character sets has ~105 bits of entropy — at a trillion guesses per second, brute-forcing it would take longer than the age of the universe. Generally, 80+ bits is considered very strong.

Rejection sampling is used when selecting characters to avoid modulo bias — a subtle flaw where some characters are slightly more likely to appear when the pool size doesn't divide evenly into the random number range. Random values outside the largest multiple of the pool size are discarded and redrawn.

Passphrases (inspired by Diceware) chain random words from a 1,547-word list. Each word contributes ~10.6 bits of entropy. A 4-word passphrase is easy to remember and provides ~42 bits of entropy — often stronger than a shorter complex password, and far more memorable.

Length beats complexity. Adding one more character to a 16-char password increases entropy by ~6.5 bits — equivalent to adding another character set. For passphrases, one more word adds ~10.6 bits.