Password Generator

The Science of Unbreakable Passwords

Entropy: The Mathematics of Randomness

Password strength is measured in bits of entropy— the logarithmic count of all possible combinations. A password drawn from 94 printable ASCII characters gains ~6.55 bits per character. An 8-character password yields ~52 bits (4.5 quadrillion combinations), while a 20-character password yields ~131 bits — more combinations than atoms in the observable universe. Modern GPUs can test 100 billion hashes per second; at that rate, 52-bit entropy falls in under a minute, but 131-bit entropy would take longer than the age of the universe.

The Entropy Formula

H = L × log₂(N)

Where H is entropy in bits, L is the password length, and N is the size of the character set. With lowercase only (N=26), a 16-character password has 75 bits of entropy. Add uppercase (N=52): 91 bits. Add digits and symbols (N=94): 105 bits. Each additional character type increases N, but length has the greatest impact because it scales linearly with H.

CSPRNG: Why Math.random() Is Not Enough

This tool uses crypto.getRandomValues(), a Cryptographically Secure Pseudo-Random Number Generator (CSPRNG) built into every modern browser. Unlike Math.random(), which uses a predictable algorithm seeded by the system clock, CSPRNG draws from operating system entropy sources — hardware interrupts, mouse movements, disk I/O timing — making its output computationally indistinguishable from true randomness. This means an attacker who knows the algorithm still cannot predict the next output.

Crack Time: Real Numbers

Consider a modern GPU cluster testing 100 billion (10¹¹) hashes per second. An 8-character password from the full 94-character set (~52 bits) is cracked in under 19 hours. A 12-character password (~79 bits) would take ~190,000 years. A 16-character password (~105 bits) pushes into 12 billion years territory. The lesson: length matters far more than complexity. A 20-character lowercase-only passphrase (94 bits) is stronger than an 8-character password using every character type (52 bits).

Frequently Asked Questions

Why does the exclude feature exist?

Some systems reject certain characters (e.g., spaces, angle brackets) or have ambiguous display issues (0/O, 1/l/I). The exclude field lets you remove these while maintaining maximum entropy from the remaining charset. Excluding 5 characters from the 94-character set reduces per-character entropy from 6.55 to 6.47 bits — negligible if you compensate with one extra character of length.

Should I use a passphrase or random characters?

Both are valid strategies. A random 16-character password from 94 characters provides ~105 bits of entropy. A four-word passphrase from a 7,776-word diceware list provides ~51 bits — too low. Six diceware words give ~77 bits, and seven words give ~90 bits. Random characters are denser in entropy but harder to type manually. Use random characters for passwords stored in a manager; use passphrases for the few passwords you must memorize (e.g., your password manager's master password).

Is client-side generation really safe from interception?

The password is generated in your browser's JavaScript runtime and never touches any network. However, browser extensions, keyloggers, or malware on your device could theoretically capture it. For maximum security, generate passwords on a trusted device with minimal extensions, and paste directly into your password manager. The generation itself is cryptographically sound — the risk surface is your device's overall security posture, not this tool.