Why Use a Password Generator?
Humans are terrible at creating random passwords. We reuse patterns, pick dictionary words, and substitute letters in predictable ways ("p@ssw0rd" isn't fooling anyone). A cryptographically secure generator uses crypto.getRandomValues() — the same entropy source used for TLS and SSH — to produce passwords that are truly unpredictable.
How Much Entropy Do You Need?
Entropy measures password strength in bits. Each bit doubles the number of possible combinations an attacker has to try. Here's a rough guide:
- 40-60 bits — Minimum for low-value accounts. Crackable with dedicated hardware.
- 60-80 bits — Good for most online accounts with rate limiting.
- 80-100 bits — Strong. Suitable for encryption keys and sensitive systems.
- 100+ bits — Excellent. Beyond brute-force capability with current technology.
Passwords vs Passphrases
A random 20-character password like kX9#mQ2$vL7@pR4&nW6! has excellent entropy but is nearly impossible to type manually. A passphrase like correct-horse-battery-staple is easier to remember and can match or exceed the entropy of a shorter random password, depending on the word list size and word count.
Use random passwords when a password manager handles entry. Use passphrases when you need to type it from memory (e.g. a master password or full-disk encryption key).
About This Generator
This tool uses the Web Crypto API (crypto.getRandomValues()) for all randomness. No data is sent to any server — everything happens in your browser. The source code is visible in the page if you want to inspect it.