Random Number

Secure Password Generator

Generate cryptographically strong random passwords using your browser's Web Crypto API, with precise entropy calculations and customizable character sets for maximum security.

Generate Secure Password

Click "Generate Password" to create a cryptographically secure password
Character Sets
Password Strength: Not Generated

Cryptographic Password Security

Password security is fundamentally about entropy-the measure of unpredictability in a system. A strong password should have sufficient entropy to resist brute-force attacks, dictionary attacks, and rainbow table lookups. This generator uses the Web Crypto API's crypto.getRandomValues() function to ensure each password is generated from cryptographically secure pseudorandom bytes.

The entropy of a password is calculated using the formula: H = L x log2(C), where L is the password length and C is the size of the character set. For example, a 12-character password using all four character sets (lowercase, uppercase, numbers, symbols) has approximately 77 bits of entropy, which would take billions of years to brute-force with current computing power.

This tool implements rejection sampling to ensure uniform distribution across the selected character sets, avoiding the statistical biases that can occur with simpler random number generators. Each character in the password is selected with equal probability from the chosen character pool.

Character Set Analysis

The choice of character sets significantly impacts password strength:

  • Lowercase letters (26 characters): Provides 4.7 bits of entropy per character
  • Uppercase letters (26 characters): Adds another 4.7 bits when combined with lowercase
  • Numbers (10 characters): Contributes 3.32 bits of entropy per character
  • Symbols (32 common symbols): Provides 5 bits of entropy per character

Using all four character sets creates a pool of 94 possible characters, yielding approximately 6.55 bits of entropy per character. This exponential growth in security makes longer passwords with diverse character sets exponentially more difficult to crack.

The generator ensures that at least one character from each selected set is included in the password, guaranteeing the advertised entropy level while maintaining usability.

Password Strength Assessment

The strength meter evaluates passwords based on their entropy and resistance to common attack vectors:

  • Weak (< 40 bits): Vulnerable to offline dictionary attacks and short brute-force attempts
  • Fair (40-60 bits): Resistant to online attacks but may succumb to dedicated offline cracking
  • Good (60-80 bits): Strong protection against most attack scenarios
  • Strong (80+ bits): Extremely secure, resistant to all known attack methods with current technology

These thresholds are based on the computational power of modern hardware and the efficiency of current password cracking algorithms. The 80-bit threshold represents the theoretical limit of brute-force attacks using the entire energy output of humanity for a year.

The strength calculation considers not just entropy but also the practicality of the password for human use. Extremely long passwords with high entropy may be secure but difficult to remember or type accurately.

Technical Implementation

The password generation algorithm follows these steps:

  1. Validate input parameters and ensure at least one character set is selected
  2. Calculate the total character pool size from selected sets
  3. Request sufficient random bytes from crypto.getRandomValues()
  4. Use rejection sampling to map random bytes to valid character indices
  5. Ensure each selected character set is represented at least once
  6. Shuffle the final password to avoid predictable patterns

The rejection sampling technique ensures that each character has exactly equal probability, avoiding the modulo bias that can occur when the random number range doesn't evenly divide the character set size. This maintains the mathematical guarantees of uniform distribution.

The implementation is designed to work entirely client-side, ensuring that passwords are never transmitted over the network and remain under the user's control at all times.

Password Security Best Practices

While strong passwords are essential, they are only one component of comprehensive security:

  • Use a password manager to generate and store unique passwords for each service
  • Enable two-factor authentication wherever possible to add an additional security layer
  • Avoid password reuse across different accounts and services
  • Regularly update passwords for critical accounts, especially after security breaches
  • Use passphrases for better memorability with high entropy

Remember that password strength is relative to the value of the protected resource and the attacker's motivation. Critical systems may require even higher entropy thresholds than those recommended here.

This tool provides the cryptographic foundation for secure password generation, but responsible password management requires ongoing vigilance and the use of appropriate security tools and practices.