Password Generator

A strong password is one an attacker can't guess in any reasonable amount of time. The single most important property is entropy — the number of bits of randomness behind the result. Each bit doubles the search space, so 80 bits is twice as hard to crack as 79 and a billion times harder than 50.

Why this generator uses crypto.getRandomValues

JavaScript's Math.random() is a non-cryptographic PRNG and must never be used to generate secrets — its output is predictable from a small number of samples. crypto.getRandomValues()draws from the operating system's CSPRNG (the same source used by TLS), and combined with rejection sampling it produces a uniform distribution over the chosen alphabet. Both properties matter: a biased distribution shrinks the effective key space.

Passwords vs passphrases

A 20-character password drawn from the full 90-symbol set has about 130 bits of entropy. A 5-word passphrase from a ~500-word list has about 45 bits — significantly weaker, but vastly easier for a human to remember and type. The win of passphrases is that you can crank up the word count without making them noticeably harder to recall: a 7-word passphrase clears 60 bits, an 8-word one clears 70, and you're still typing real English.

The original Diceware method (and the EFF wordlists that followed) gives ~12.9 bits per word from a 7,776- word list. This generator uses a smaller curated list of common, easy-to-spell words to keep the bundle size down — the trade-off is a slightly lower bits-per-word figure, but you can compensate by adding one extra word.

How much is enough?

• Below 50 bits — Weak. Trivially broken by modern GPU clusters.
• 50–80 bits — Fair. Resists casual attacks but vulnerable to determined ones.
• 80–110 bits — Strong. The threshold most modern password guidance recommends for human-typed secrets.
• 110+ bits — Excellent. Computationally infeasible to brute force with anything that exists today.