Why generate passwords locally?
A password generator that runs on a server has, by definition, seen your password. This one uses your browser's built-in cryptographic random number generator (crypto.getRandomValues) - the same engine your bank's website relies on - and everything happens on your device. You can load this page, disconnect from the internet, and it still works.
What makes a password strong in practice
- Length beats cleverness. A random 20-character password is astronomically stronger than a "clever" 10-character one. Each extra character multiplies the work an attacker must do.
- Random beats memorable. Humans are terrible randomness generators - patterns, dates and substitutions (p@ssw0rd) are the first things cracking tools try.
- Unique beats everything. The most common breach path is one reused password. Use a password manager and a different random password per site.
What the entropy number means
Entropy (in bits) measures how many guesses an attacker needs: every +1 bit doubles the work. As a rule of thumb, 80+ bits is strong for online accounts and 100+ bits is effectively uncrackable with current hardware.
FAQ
Does this Password Generator send data to a server?
- No. No network request is involved in generating them - you can verify by watching the network tab of your browser's dev tools.
Is Math.random() used?
- No - that's not cryptographically safe. This tool uses
crypto.getRandomValues, with rejection sampling to avoid statistical bias. Should I exclude look-alike characters?
- If you'll ever read or type the password manually, yes. If it lives in a password manager, you can include them for a slightly larger character pool.