Strong Password Generator: Secure Random Passwords

What Makes a Password Strong

A strong machine-generated password has two properties: high entropy (unpredictability) and no patterns (no dictionary words, no keyboard walks, no substitutions).

Entropy is measured in bits. Each bit doubles the number of possible passwords an attacker must try. A password drawn uniformly at random from a set of N possible characters has log2(N) bits of entropy per character.

A 20-character password from the full printable ASCII set has about 130 bits of entropy. A 20-character password limited to lowercase letters has 94 bits. The character set matters, but length matters more: adding one character from a 95-character set adds 6.6 bits of entropy. Doubling the character set from 26 to 95 only adds about 1.9 bits per character.

NIST SP 800-63B on Passwords

The NIST guidelines (updated in 2024) are worth knowing because they contradict older conventional wisdom about password policies:

• Length is the most important factor. NIST recommends supporting passwords up to at least 64 characters.
• Complexity rules (requiring uppercase, symbols, digits) are counterproductive when mandatory because they produce predictable patterns (Password1! is the canonical example of a “complex” but weak password).
• Periodic forced rotation weakens security by training users to make small, predictable changes (Password1! becomes Password2!).
• Password blacklists (blocking known compromised passwords) are more effective than complexity rules.

For machine-generated passwords stored in a manager, none of these policy constraints matter. Use full entropy and maximum length.

Password vs Passphrase Entropy

A 20-character random password and a passphrase are different tools for different situations.

A 4-word Diceware passphrase (randomly selected from 7776 words):

correct horse battery staple

Entropy: log2(7776^4) ≈ 51.7 bits per word × 4 = about 207 bits. More entropy than a 20-character random password.

A 6-word Diceware passphrase has about 310 bits. That is unbreakable. It is also typeable and memorizable, which makes it the right choice for:

• Password manager master passwords
• Full disk encryption passphrases
• SSH key passphrases
• Anything you must memorize or type without autofill

Use random character passwords for everything stored in your manager. Use passphrases for the handful of credentials you must remember or type regularly.

Web Crypto API vs Math.random()

The implementation difference is not subtle:

// WRONG: Math.random() is not cryptographically secure
function insecurePassword(length) {
  const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
  return Array.from({ length }, () => chars[Math.floor(Math.random() * chars.length)]).join("");
}

// CORRECT: crypto.getRandomValues() is a CSPRNG
function securePassword(length) {
  const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*";
  const array = new Uint32Array(length);
  crypto.getRandomValues(array);
  return Array.from(array, (n) => chars[n % chars.length]).join("");
}

The % chars.length operation introduces a small modulo bias when the character set size does not divide evenly into 2^32. For a 95-character set and a 32-bit random value, the bias is negligible in practice (the most common characters appear about 0.002% more often than the least common). For a security-critical implementation, use rejection sampling to eliminate even this small bias.

How This Tool Generates Passwords

The generator runs entirely in your browser. No password is sent to any server. The source of randomness is crypto.getRandomValues() from the Web Crypto API, which all modern browsers expose and which pulls from the OS CSPRNG.

After generation, copy the password directly into your password manager. Avoid pasting into intermediate locations (email drafts, notes apps, chat windows) where the value might be logged or synced.