Secure Password Generator

How the Password Generator Works

This tool generates passwords using the Web Crypto API (crypto.getRandomValues()), which provides cryptographically secure pseudo-random numbers sourced from the operating system's entropy pool. Unlike Math.random(), which uses a deterministic PRNG unsuitable for security, the Web Crypto API meets the requirements for generating secrets as defined in RFC 4086 (Randomness Requirements for Security).

Character Set and Entropy

The generator supports four character classes: uppercase letters (A-Z, 26 characters), lowercase letters (a-z, 26 characters), digits (0-9, 10 characters), and symbols (!@#$%^&* and others, approximately 32 characters). When all four classes are enabled, the combined set has 94 printable ASCII characters. Password entropy is calculated as log2(charset_size^length). A 16-character password drawn from all 94 characters provides approximately 105 bits of entropy, well above NIST's minimum recommendation of 80 bits for high-security applications.

Uniform Distribution

To avoid modulo bias, the generator uses rejection sampling. Random bytes from crypto.getRandomValues() are mapped to the character set size, and any value that would create uneven distribution is discarded and re-sampled. This ensures every character in the set has an exactly equal probability of appearing at every position in the generated password.

Practical Guidelines

NIST SP 800-63B recommends passwords of at least 8 characters, but security professionals generally recommend 12 or more. For master passwords protecting password managers or encryption keys, use 20+ characters. Combine generated passwords with a password manager to avoid reuse across services.