Strong, random passwords generated instantly in your browser. Nothing is sent to any server.
crypto.getRandomValues() — nothing is sent to any server.
Password security is fundamentally a math problem. Every password can be measured by two numbers: the size of the character pool it draws from, and its length. Together these determine entropy — the amount of randomness measured in bits. The higher the entropy, the more guesses an attacker must make to crack the password. A password with 80 bits of entropy requires 280 attempts to guarantee a find by brute force — that is approximately 1.2 quintillion guesses. At a rate of one billion guesses per second — which modern GPU-accelerated cracking hardware can achieve — exhausting an 80-bit keyspace would take over 38,000 years.
Entropy is calculated as: E = L × log₂(N), where L is the password length and N is the size of the character pool. Every additional character type you include expands the pool size, and every additional character in length multiplies the total combinations by the pool size. This is why length is the most powerful lever: adding one character to a 20-character password from a pool of 94 characters multiplies the number of possible combinations by 94. Adding one more character type (say, expanding from 62 to 94) only increases entropy by log₂(94/62) ≈ 0.6 bits per position.
| Entropy | Example | Est. Crack Time (GPU) | Use Case |
|---|---|---|---|
| < 28 bits | 4-digit PIN | Instant | Low-value only |
| 28–35 bits | 6 chars, all types | Minutes–hours | Avoid for accounts |
| 36–59 bits | 8–10 chars, mixed | Days–months | Minimum for accounts |
| 60–79 bits | 12–14 chars, mixed | Centuries–millennia | Good for most accounts |
| 80–99 bits | 16–20 chars, all types | Millions of years | Sensitive accounts |
| 100+ bits | 20+ chars / passphrase | Heat death of universe | Maximum security |
| Character Set | Pool Size | Entropy/Char | Notes |
|---|---|---|---|
| Digits only (0–9) | 10 | 3.32 bits | PINs only |
| Lowercase letters | 26 | 4.70 bits | Weak alone |
| Upper + lowercase | 52 | 5.70 bits | Better, still guessable |
| Letters + digits | 62 | 5.95 bits | Common standard |
| Letters + digits + symbols | 94 | 6.55 bits | Strong standard |
| Full printable ASCII | 95 | 6.57 bits | Maximum standard pool |
| 4-word passphrase (EFF) | 7776⁴ | ~51 bits total | Memorable + strong |
| 5-word passphrase (EFF) | 7776⁵ | ~64 bits total | Recommended minimum |
The classic rule set — must contain uppercase, lowercase, number, and symbol, but can be as short as 8 characters — is mathematically backwards. An 8-character password from a pool of 94 characters has only 52.4 bits of entropy, which a modern GPU cluster can crack within months using brute force, and within seconds if it appears in a known dictionary. NIST (the U.S. National Institute of Standards and Technology) reversed its position on complexity requirements in its 2017 guidelines, recommending length over complexity and eliminating arbitrary rotation requirements. An 8-character "complex" password is dramatically weaker than a 16-character passphrase like "correct-horse-battery-staple" — even though the passphrase uses only lowercase letters and hyphens.
Modern password cracking uses several techniques in order of efficiency. Credential stuffing tries username/password pairs from previous breaches — billions of these are available online. This catches anyone reusing passwords and doesn't require any computing power. Dictionary attacks try common words, names, years, and predictable substitutions (p@ssw0rd, S3cur!ty, etc.). Rules-based attacks use Hashcat or John the Ripper with transformation rules: capitalize the first letter, add a number at the end, replace a with @, etc. These cover most "cleverly modified" passwords. Brute force is the last resort — exhaustively trying every combination — and is only practical for short passwords or weak character pools. A truly random 16+ character password is immune to all of these except brute force, and at that length, brute force is computationally infeasible.
Passphrases are sequences of random words — popularized by the famous XKCD comic featuring "correct horse battery staple" — and they offer a compelling combination of memorability and security. A 4-word passphrase drawn from the EFF's 7,776-word list (using a standard six-sided die roll, hence "diceware") has approximately 51.7 bits of entropy. A 5-word passphrase reaches 64.6 bits. A 6-word passphrase achieves 77.5 bits — approximately equivalent to a randomly generated 12-character password using all character types. Passphrases are primarily useful for the handful of passwords you need to memorize: your computer login password, your primary email account password, and your password manager master password. For everything else, a password manager generating and storing random character strings is preferable.
The only correct solution to password management is a password manager. Human-generated passwords are predictable — even when people try to be random, they follow patterns that crack within hours. A password manager solves this by generating truly random passwords of arbitrary length for every account, storing them encrypted behind a single strong master password, and autofilling them on websites. This also eliminates password reuse, which remains the single most common cause of account compromise. Reputable password managers include Bitwarden (open source, free tier), 1Password, Dashlane, and the built-in managers in iOS Keychain and Chrome/Firefox. The threat model for a password manager is vastly better than reusing passwords: an attacker would need to compromise your device, steal your vault file, and crack your master password — versus simply checking a breach database for reused credentials.
Even a weak password becomes dramatically more secure when combined with multi-factor authentication (MFA). With MFA enabled, an attacker who obtains your password still cannot access your account without the second factor — your phone, a hardware key, or a TOTP code. Enable MFA on every account that offers it, prioritizing email, banking, primary social media, and any account linked to payment methods. Use a dedicated authenticator app (Authy, Google Authenticator, Microsoft Authenticator) rather than SMS when possible, as SMS is vulnerable to SIM-swapping attacks. Hardware security keys (YubiKey, Google Titan) offer the strongest MFA and are phishing-resistant. The combination of a long random password and hardware MFA is essentially unbreakable by remote attack.
crypto.getRandomValues() API — a cryptographically secure random number generator built into every modern browser. Nothing is transmitted to a server. You can verify this by disconnecting from the internet and continuing to use the generator — it works identically offline. Be cautious of any online password generator that requires an internet connection to generate passwords or that doesn't clearly explain where randomness comes from. All reputable generators use the browser's CSPRNG or a server-side equivalent.crypto.getRandomValues() browser API uses the operating system's entropy sources (hardware events, timing jitter, etc.) seeded into a CSPRNG. Human-generated passwords are never truly random — cognitive biases consistently produce predictable patterns. Studies of human "random" sequences show preferences for certain letter combinations, avoidance of repeated characters, and predictable capitalization and number placement. Even people trying hard to be random produce passwords that crack significantly faster than computer-generated equivalents.