Password Generator

Entropy measures how unpredictable your password is, expressed in bits. Each bit of entropy doubles the number of guesses needed to crack it. A password with 40 bits (like a typical 8-character lowercase password) can be cracked in seconds by modern hardware. An 80-bit password provides strong protection against brute-force attacks even with dedicated hardware. For context, most security experts recommend 60-80 bits for standard accounts and 100+ bits for high-value accounts like password managers and financial services.

A passphrase of 4-5 random words from a large dictionary (e.g., the EFF long word list with 7,776 words) provides roughly 52-65 bits of entropy, which is comparable to a 10-12 character random alphanumeric string. Passphrases are primarily beneficial because they are easier to remember, type accurately, and transcribe over the phone. However, for maximum security, a long random string (16+ characters with all character types) is still superior, providing 100+ bits of entropy.

This is an estimate of how long it would take an attacker to guess your password by trying every possible combination (brute force), assuming 1 billion guesses per second — a conservative estimate for modern GPU-based cracking hardware. Real-world attacks may be faster (using specialized ASICs) or slower (against well-hashed databases using bcrypt/argon2). The estimate assumes the attacker knows your password's character set and length. For properly hashed passwords, the cracking speed is dramatically reduced by the hash algorithm's computational cost.

Ambiguous characters like O (letter) vs 0 (zero) and I (uppercase i) vs l (lowercase L) vs 1 (one) can cause problems when manually typing, reading over the phone, or transcribing passwords from paper. If you need to share passwords verbally or write them down temporarily, avoiding these characters reduces errors. For password managers (where you copy-paste the password), ambiguous characters are perfectly fine and add to the entropy.

crypto.getRandomValues() is a cryptographically secure pseudo-random number generator (CSPRNG) designed for security-sensitive applications like password generation, encryption key generation, and secure tokens. Math.random() is a general-purpose PRNG optimized for speed, not security — it is predictable if an attacker can obtain enough samples. Math.random() should never be used for passwords, session IDs, CSRF tokens, or any security-critical randomness.

The safest way to store passwords is in a dedicated password manager like 1Password, Bitwarden, LastPass, or KeePassXC. These tools encrypt your password vault with a strong master password and automatically fill passwords on websites. Writing passwords on paper is also secure if stored safely. Never store passwords in plain text files, spreadsheets, sticky notes on your monitor, or unencrypted digital notes.