π² Secure Password Generator
Why Your Password Generator Matters More Than You Think
There is a peculiar irony at the heart of modern password security: the very randomness that makes a password strong is the thing humans are worst at producing. Ask someone to think of a random password and they'll pick something like Tr0ub4dor&3, which feels chaotic but follows entirely predictable human patterns β a word, some letter substitutions, a trailing number. An attacker running a rule-based dictionary attack will crack that in minutes. True randomness, the kind a machine produces, looks more like qX7#mK!vPn2@cZ9w β ugly, unmemorable, and genuinely strong.
This tutorial walks through how to use a browser-based secure password generator, explains what makes one cryptographically trustworthy, and gives you the knowledge to evaluate any generator you encounter.
The Critical Difference: Crypto API vs Math.random()
Not all randomness is equal. JavaScript's built-in Math.random() is a pseudorandom number generator β it produces numbers that look random but are derived from a deterministic algorithm seeded with a predictable value (often the system clock). For game dice rolls or shuffling playlists, that's fine. For passwords, it's a security flaw.
The window.crypto.getRandomValues() API is a completely different beast. It pulls entropy from the operating system's cryptographically secure random number generator β the same source used for generating TLS keys and SSL certificates. On modern systems this draws from hardware noise, CPU timing jitter, and other truly unpredictable physical sources. No amount of knowledge about your CPU or system state lets an attacker predict what it will produce next.
A good password generator uses crypto.getRandomValues() exclusively. If you ever read the source of a password tool and see Math.random() anywhere in the generation logic, close the tab.
Understanding the Length Slider
The generator lets you pick any length from 8 to 128 characters. Here's what those numbers mean in practice. Password strength is measured in bits of entropy, which represents how many guesses an attacker would need to exhaust all possibilities. The formula is simple: entropy = length Γ logβ(charset size).
A 12-character password using uppercase, lowercase, numbers, and symbols draws from a character pool of roughly 90 characters. That gives you 12 Γ logβ(90) β 12 Γ 6.49 β 78 bits of entropy. Modern cracking hardware (GPU clusters) can test billions of guesses per second β but against 78 bits of true randomness, even that is hopeless. A 78-bit password would take longer than the age of the universe to crack by brute force.
So why would you ever use 128 characters? For master passwords stored in a password manager, for encryption keys, or simply for peace of mind. The overhead of typing a longer password once (to store it) is trivial. The security margin is not.
Choosing Your Character Sets
The generator offers four character categories:
Uppercase letters (AβZ) add 26 characters to your pool. Always leave this on unless the service you're registering with explicitly forbids uppercase β some legacy systems do, annoyingly.
Lowercase letters (aβz) are the baseline. Turn this off only if you have a very specific reason; most of your charset comes from here.
Numbers (0β9) add 10 characters and satisfy the "must contain a number" requirement most sites impose. With this enabled, the generator guarantees at least one digit appears in your password through a mandatory inclusion step.
Symbols (!@#$%^&β¦) dramatically expand the effective keyspace and defeat most dictionary-based attacks. Not every website accepts every symbol β some forms reject characters like > or & due to HTML encoding concerns. If a site rejects your generated password, try regenerating with symbols off.
The generator always guarantees at least one character from each enabled category, using a cryptographically random insertion at a random position. This prevents the unlucky edge case where you enable numbers but happen to generate a password with none.
The Ambiguous Character Option
This checkbox excludes characters that look similar in many fonts: the letter O and the digit 0, the lowercase l and the digit 1 and the uppercase I. When you're reading a password off a screen to type it somewhere else β copying a password from a printed sheet, or reading it aloud to someone β ambiguous characters cause errors.
The tradeoff is a slight reduction in entropy. Removing five characters from a 90-character pool brings it to 85, costing you about 0.08 bits per character. For a 20-character password that's a loss of 1.6 bits β completely negligible. Turn this on if you ever read passwords manually; leave it off if you always copy-paste.
Reading the Strength Indicator
The colored bars give you an at-a-glance entropy assessment:
- Weak (red, below 40 bits): Under 7 characters with a limited charset. Crackable in seconds with modern hardware. Only use these for throwaway accounts with no sensitive information.
- Fair (orange, 40β60 bits): Adequate for low-stakes accounts but not services that hold financial or personal data.
- Strong (yellow, 60β80 bits): Solid general-purpose security. Brute force is not feasible.
- Very Strong (green, 80+ bits): Appropriate for sensitive accounts β email, banking, password managers. This is the target you should always aim for.
For context, NIST's 2017 guidelines (SP 800-63B) moved away from prescribing complexity rules in favor of length and true randomness. A random 15-character password is now considered more secure than a complex-but-guessable 8-character one with enforced substitutions.
Rejection Sampling: Why the Math Is Fair
One subtlety worth understanding is modulo bias. If you generate a random 32-bit number (0 to 4,294,967,295) and take the result modulo your charset size, some characters will appear slightly more often than others β the bias depends on how evenly your charset size divides 2Β³Β². For a charset of 90 characters, the bias is tiny but technically non-zero.
The generator eliminates this by using rejection sampling: it generates a random number, checks whether it falls in a range that divides evenly by the charset size, and if not, throws it away and tries again. This guarantees a perfectly uniform distribution across all characters. The retry loop almost never runs more than once in practice.
How to Use Generated Passwords Safely
A perfect password stored carelessly is useless. A few principles:
Always use a password manager (Bitwarden, 1Password, KeePass) to store generated passwords. Trying to memorize a 20-character random string is both futile and unnecessary. The manager stores it encrypted; you only need to remember the master password.
Generate a different password for every single account. This is the whole point. If one service suffers a data breach and your password leaks, an attacker who tries that password on other sites (credential stuffing) will fail because every password is unique.
Enable two-factor authentication wherever possible. A strong random password plus 2FA means that even if your password database is compromised, attackers still can't log in without your second factor.
The generation happens entirely in your browser. No password is transmitted to any server, logged, or stored. You can verify this by disconnecting from the internet and generating passwords β they'll work exactly the same.
A Note on Password Policies
Many sites impose requirements like "must contain an uppercase letter, a number, and a special character." The generator's mandatory inclusion logic handles this automatically β when you enable a character type, the generator guarantees at least one character from that set appears in the output, inserted at a cryptographically random position. You won't accidentally generate a password that fails the site's requirements.
For sites with maximum length restrictions (unfortunately common on older platforms), use the length slider to match. And for the rare site that only allows alphanumeric passwords, simply uncheck the symbols box.