Strong passwords or memorable passphrases — cryptographically random in your browser.
A strong password resists both brute-force and dictionary attacks. Four core principles:
A passphrase of 4–6 random words (the Diceware method) offers security comparable to a random character password but is far easier to remember and type. For master passwords (password managers, disk encryption), passphrases are often the better choice.
Yes. Random numbers come from `crypto.getRandomValues()` directly in your browser — a cryptographically secure source. There is no server round-trip, no log, no tracking. You can inspect the implementation in your browser's developer tools at any time.
The entropy of a password measures how unpredictable it is — in bits. A password with 60 bits of entropy means an attacker needs on average 2^59 (about 576 quadrillion) guesses to crack it. What matters is not length alone but the size of the alphabet each character is drawn from uniformly at random. This generator uses crypto.getRandomValues() — a cryptographically secure source the browser pulls from the OS pool (e.g. /dev/urandom on Linux).
A password like Dog2024! looks strong with 9 characters and 4 character classes, but is actually a dictionary variation crackable in seconds. NIST SP 800-63B (USA) abandoned forced complexity rules in 2017 and now recommends long, freely chosen passwords (8 minimum, 15+ ideal) plus checking against breach lists (e.g. haveibeenpwned.com).
Rule of thumb: Diceware passphrases of 6 words from a 7776-word list deliver about 77 bits of entropy — enough to occupy even dedicated hardware (e.g. an RTX 4090 at ~200 GH/s against unsalted SHA-1) for more than 10^14 years. For master passwords of a password manager, 6 or 7 words is the gold standard. For throwaway accounts (stored in the manager), 16 random characters from a 94-character alphabet (~105 bits) is plenty.
For a random password of length L drawn from an alphabet of N characters, the entropy H in bits is:
H = L * log2(N)
Examples:
- 8 chars, lowercase only (N=26): 8 * 4.70 = 37.6 bits
- 12 chars, alphanumeric (N=62): 12 * 5.95 = 71.5 bits
- 16 chars, full alphabet (N=94): 16 * 6.55 = 104.9 bits
- 4 Diceware words (N=7776): 4 * 12.92 = 51.7 bits
- 6 Diceware words (N=7776): 6 * 12.92 = 77.5 bits
Assume an attacker has the salted bcrypt hash (cost=12, roughly 250 ms per attempt on a modern GPU). That gives them about 10,000 attempts per second per GPU. What does that mean in practice?
password-style): 26^8 = 2.1 * 10^11 combinations. Exhaustive search: ~240 days on one GPU, a few hours on a 100-GPU rig. Not enough.K3p9XaT2qLm8): 62^12 = 3.2 * 10^21 combinations. Exhaustive search: ~10^10 years on one GPU. Even a 10,000-GPU rig needs over a million years. Practically safe.r5$Lm!9pQ#xK7zF2): 94^16 ≈ 3.7 * 10^31. Even with the entire Bitcoin mining hashrate (≈ 6 * 10^20 H/s as of 2025) against an unsalted hash: ~2 * 10^3 years. Against bcrypt: astronomical. More than enough.correct-horse-battery-staple, the famous XKCD-936 example): 7776^4 = 3.7 * 10^15 combinations. Against bcrypt: ~10^4 years. Solid for most accounts, marginal for high-stakes master passwords.anchor-moon-spring-mirror-copper-dew): 7776^6 = 2.2 * 10^23 combinations. Recommended size for KeePass, 1Password or Bitwarden master passwords. Even at a hypothetical 10^15 attempts per second, 7 billion years are not enough. Gold standard.Even the strongest password does not help against phishing, keyloggers, cross-site reuse or server-side plaintext storage. Highest-impact-per-effort moves: (1) use a password manager so every account gets its own 16+ char password; (2) FIDO2/WebAuthn hardware keys (e.g. YubiKey) instead of SMS 2FA; (3) for the master password, use a 6-word passphrase with one capital and one symbol. Also: a random 8-character password is still crackable against unsalted MD5 or SHA-1 hashes (legacy systems) — the storage scheme (bcrypt, scrypt, Argon2id) is part of the security budget. See the OWASP Password Storage Cheat Sheet.
Math.random() safe enough for passwords?Math.random() is a deterministic PRNG (xorshift128+ in V8/Chromium) and not designed for security — internal state is only 128 bits and predictable. This generator exclusively uses crypto.getRandomValues(), which is wired to the OS cryptographic source (CSPRNG).haveibeenpwned.com with 13+ billion leaked credentials as of 2026), service B must not fall with the same password. Password managers exist precisely for this: remember only the master password, everything else is randomly generated and auto-filled.0 vs. O, 1 vs. l vs. I. Useful when the password is typed from a printout or screen (server maintenance, printer setup). Trade-off: slightly reduced entropy per character — at 16 chars it costs about 0.3 bits, negligible.