Password Generator
Cryptographically secure password generator with adjustable length and character classes. Runs in your browser.
This tool runs in your browser. No data leaves your device.
How It Works
Random passwords generated with crypto.getRandomValues — cryptographically secure. Length,
character classes, and filters are adjustable. Nothing is sent to a server.
Why isn’t Math.random() enough?
JavaScript’s Math.random() function is not cryptographically secure. V8 and other
engines typically use a fast but predictable algorithm like xorshift128+. Anyone who observes
enough output can predict the next “random” values.
For password generation, crypto.getRandomValues is mandatory — it draws from the operating
system’s entropy pool (/dev/urandom on Linux, Security.framework on macOS, CNG on Windows).
Why does entropy matter?
Password strength is measured in entropy (in bits):
entropy = length × log₂(alphabet_size)Examples:
| Length | Alphabet | Entropy |
|---|---|---|
| 8 | 26 (lowercase only) | ~38 bits — weak |
| 12 | 62 (a-z A-Z 0-9) | ~71 bits — strong |
| 16 | 94 (all printable ASCII) | ~105 bits — very strong |
| 20 | 94 | ~131 bits |
Practical thresholds:
- < 40 bits: weak — brute-forced within hours by modern GPUs.
- 60–80 bits: strong — requires specialized hardware and years.
- > 80 bits: very strong — holds up even against the next decade’s brute-force capacity.
Length vs complexity
The most efficient way to increase a password’s strength is to increase length, not character variety. 20 lowercase characters (~94 bits) are far stronger than 8 characters with symbols (~52 bits).
Adding a single character multiplies the odds by the size of the alphabet; adding a symbol class only adds a fixed multiplier.
Modulo bias
If a naive “random 8-bit number → character” mapping is done with byte % charset.length, some
characters appear more often than others. For example: if charset.length = 62, the 256 numbers
from 0–255 don’t divide evenly by 62 (256 % 62 = 8). The first 8 characters get picked 1.6% more often.
This tool uses rejection sampling: bytes larger than maxValid = 256 - (256 % setSize) are
discarded. The result: a perfectly uniform distribution where everyone is picked with equal probability.
”Exclude ambiguous characters”
If the password will be written on paper or read aloud, 0/O, 1/l/I, | are hard to tell apart.
This option removes those characters. Entropy drops — a deliberate tradeoff for practicality.
”Shell-safe”
If the generated password will be written into bash, a SQL connection string, a URL, or a .env
file, characters that need escaping ($, `, ", ', \, ;, |, &, <, >, (, ))
cause trouble. This filter removes them — eliminating the need for escaping downstream.
What this tool is not for
- Production secret management. Save the generated password into a password manager (1Password, Bitwarden, KeePassXC) or a secret store (Vault, AWS Secrets Manager) right away — don’t leave it here.
- Choosing a master password. For a master password, a diceware-style passphrase is better: memorable + high entropy. (That’s on the V1.2 roadmap for this tool.)
- Generating shared secrets. In scenarios where both parties must know the same secret, key exchange protocols (HKDF, Diffie-Hellman) are a better fit.
Privacy
This tool runs entirely in your browser. Generated passwords are never sent to a server. Even so:
- If you copy the generated password to the clipboard, other applications can access it.
- Some browser extensions can read DOM content.
- If the password is visible during screen sharing, it can be recorded.
For sensitive accounts: generate, copy, paste into your password manager, clear the clipboard.