Our Password Generation Methodology

Q: Why do you use the Web Crypto API instead of Math.random()?

JavaScript's Math.random() is a pseudorandom number generator designed for general programming purposes, not cryptographic security. It uses predictable algorithms that can be reverse-engineered if an attacker observes enough outputs, making it unsuitable for password generation. The Web Crypto API provides cryptographically secure pseudorandom number generation (CSPRNG) that meets security standards for cryptographic operations. It's designed specifically to be unpredictable even to attackers with significant computational resources and knowledge of previous outputs. This is a fundamental security requirement for password generation—using Math.random() would be a critical vulnerability.

Complete transparency in how we generate passwords. Learn about the cryptographic techniques, security standards, and privacy-first approach that power our password generation tools.

Last Updated: January 26, 2026

Why Methodology Matters

When you trust a tool to create passwords that protect your most sensitive accounts, you deserve to know exactly how those passwords are generated. Many password generators operate as black boxes, providing no insight into their methods. We believe security through transparency is superior to security through obscurity.

Our password generation methodology is built on three fundamental pillars: cryptographic randomness, client-side privacy, and adherence to established security standards. Every password generated on this site follows the same rigorous process, whether it's a 12-character password or a 64-character passphrase.

Core Principles of Our Password Generation

Cryptographic Randomness

We use the Web Crypto API's cryptographically secure pseudorandom number generator (CSPRNG) for all random value generation. This provides unpredictability that meets cryptographic standards, unlike standard JavaScript Math.random().

Client-Side Processing

All password generation happens entirely in your browser. Your passwords never touch our servers, never traverse the internet, and are never stored anywhere except your local device. Complete privacy by design.

Standards Compliance

Our tools follow NIST SP 800-63-4 guidelines (finalized July 2025), emphasizing length over complexity with a minimum of 8 characters required and 15+ characters recommended for single-factor authentication. We stay current with evolving security recommendations.

Maximum Entropy

We maximize password entropy (randomness) by using large character sets and sufficient length. Our generators calculate and display entropy values so you can make informed decisions about password strength.

No Patterns or Predictability

Every character is independently selected from the available character set. We don't use memorable patterns, dictionary words (except in passphrases), or predictable sequences that could weaken security.

Open Methodology

This page documents exactly how we generate passwords. Our approach is inspectable in your browser's developer tools, and we encourage technical users to verify our implementation.

Technical Implementation: How We Generate Passwords

Step 1: Cryptographic Random Number Generation

The foundation of secure password generation is unpredictable randomness. We use the Web Crypto API, specifically the crypto.getRandomValues() method, which provides cryptographically strong random values suitable for security-sensitive operations.

const array = new Uint8Array(length);
crypto.getRandomValues(array);

This approach is fundamentally different from Math.random(), which uses a predictable pseudorandom algorithm unsuitable for cryptographic purposes. The Web Crypto API accesses your operating system's CSPRNG, which gathers entropy from various hardware and software sources to ensure true unpredictability.

Step 2: Character Set Selection

Based on your preferences (uppercase letters, lowercase letters, numbers, symbols), we construct a character set containing all possible characters. For example, if you select all options, the character set might look like:

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+-=[]{}|;:,.<>?

The larger the character set, the higher the entropy per character. A 95-character set (all printable ASCII characters) provides approximately 6.57 bits of entropy per character.

Step 3: Unbiased Random Selection

For each character position in the password, we select a random index from the character set. To avoid modulo bias (a subtle statistical flaw that can occur when mapping random values to a range), we use a rejection sampling approach when necessary.

This ensures every character in the character set has an exactly equal probability of being selected, maintaining perfect statistical randomness across the entire password.

Step 4: Entropy Calculation

We calculate the password's entropy using the formula: entropy = length × log2(charset_size). This mathematical measure represents the number of bits required to represent all possible passwords of that length and character set. Higher entropy means exponentially more possible combinations.

For example, a 16-character password using 95 characters has approximately 105 bits of entropy, representing 2¹⁰⁵ (roughly 4 × 10³¹) possible combinations. Learn more about password entropy and why it matters.

Step 5: Display and User Interaction

The generated password is displayed on your screen but never sent to any server. You can copy it to your clipboard, regenerate it, or adjust settings and generate a new one. All operations remain entirely local to your device.

Passphrase Generation Methodology

Our passphrase generator follows a similar but distinct methodology optimized for memorability while maintaining high entropy. Instead of random characters, we use randomly selected words from a curated word list.

Word List Selection

We use a carefully curated list of common English words, avoiding obscure terms, offensive language, and easily confused words. The word list contains several thousand words, providing substantial entropy per word (approximately 11-13 bits depending on list size).

Random Word Selection

Using the same Web Crypto API cryptographic randomness, we select words independently and at random from the word list. A 6-word passphrase from a 7,776-word list (similar to the Diceware list) provides approximately 77 bits of entropy, equivalent to a strong random password.

Separator and Capitalization

Users can choose separators (hyphens, spaces, none) and capitalization styles to meet specific system requirements while maintaining the core entropy of the word selection. These variations don't significantly impact entropy since the security comes from which words were selected, not how they're formatted.

Privacy and Security Guarantees

Zero Server Communication

Our password generation tools require no backend servers, databases, or API calls. When you load a page, your browser downloads the HTML, CSS, and JavaScript once, and all subsequent operations happen entirely on your device. We cannot see, log, or access any passwords you generate because they never leave your browser.

No Analytics on Sensitive Pages

We do not use analytics tracking on our password generator pages. While we may use privacy-respecting analytics on informational pages to understand which guides are most helpful, our actual password generation tools contain no tracking code whatsoever.

Open Source Verification

Technically inclined users can verify our methodology by inspecting the page source in their browser. Press F12 to open developer tools and examine the JavaScript code that performs password generation. You'll see the cryptographic random number generation and selection logic directly.

No Dependencies or External Resources

Our password generators contain all code inline—no external JavaScript libraries, no CDN dependencies, no third-party code that could potentially compromise security or privacy. This reduces attack surface and ensures everything is visible and verifiable.

Adherence to Security Standards

NIST SP 800-63-4 Guidelines

We align our recommendations with NIST Special Publication 800-63-4 (finalized July 2025), which represents current U.S. government guidance on digital identity and authentication. Key principles include prioritizing password length over character complexity, requiring a minimum of 8 characters and recommending 15 characters or more for single-factor authentication, and avoiding forced periodic password changes without evidence of compromise.

OWASP Best Practices

Our methodology reflects OWASP (Open Web Application Security Project) authentication guidelines, including sufficient entropy requirements, avoidance of common passwords, and support for long passwords and passphrases (we support up to 128 characters).

Academic Cryptographic Standards

We base our entropy calculations on established information theory and ensure our random generation meets cryptographic security requirements as defined by modern security research. Visit our about page to learn more about our commitment to security standards.

Frequently Asked Questions

How can I verify that your password generation is truly random?

You can verify our methodology in several ways. First, open your browser's developer tools (press F12) and inspect the JavaScript source code on any of our generator pages. You'll see direct usage of the Web Crypto API's crypto.getRandomValues() method.

Second, you can generate multiple passwords and observe that there are no patterns, repeated sequences, or predictable elements. True cryptographic randomness produces results that appear completely unpredictable and show no statistical bias when analyzed.

Third, the Web Crypto API itself is implemented by browser vendors and audited by security researchers worldwide. It's the same technology that secures HTTPS connections and other critical security features in your browser.

Why do you use the Web Crypto API instead of Math.random()?

JavaScript's Math.random() is a pseudorandom number generator designed for general programming purposes, not cryptographic security. It uses predictable algorithms that can be reverse-engineered if an attacker observes enough outputs, making it unsuitable for password generation.

The Web Crypto API provides cryptographically secure pseudorandom number generation (CSPRNG) that meets security standards for cryptographic operations. It's designed specifically to be unpredictable even to attackers with significant computational resources and knowledge of previous outputs.

This is a fundamental security requirement for password generation—using Math.random() would be a critical vulnerability.

Does client-side generation mean my passwords are less secure?

Actually, client-side generation provides superior security and privacy compared to server-side generation. When passwords are generated in your browser, they never traverse the internet, never touch our servers, and exist only on your device. This eliminates entire categories of attack vectors including network interception, server breaches, and logging vulnerabilities.

The Web Crypto API in modern browsers provides the same cryptographic strength as server-side generation while offering better privacy guarantees. The only potential concern would be if your local device were compromised, but in that scenario, any password entry would be vulnerable regardless of where the password was generated.

How do you ensure the generated passwords aren't stored or logged anywhere?

Our password generators contain no server communication code whatsoever. You can verify this by monitoring your browser's network activity while using our tools—you'll see no network requests after the initial page load. There's literally no mechanism for passwords to be transmitted or stored remotely.

Additionally, we don't use local storage, cookies, or any browser storage APIs to save generated passwords. Each password exists only in your browser's memory and in your clipboard if you choose to copy it. Refreshing the page or closing the tab completely removes any trace of the password.

For absolute verification, you can disconnect from the internet after loading a generator page, generate passwords while offline, and confirm they work perfectly—demonstrating that no server communication is involved.

What makes your methodology different from other password generators?

Many password generators don't disclose their methodology at all, operating as black boxes. We provide complete transparency about our cryptographic password generation process, allowing technical users to verify our implementation and non-technical users to understand the security principles.

We prioritize privacy through client-side generation, adhere to current NIST guidelines rather than outdated complexity requirements, provide detailed entropy calculations to help users understand password strength, and maintain no dependencies on external libraries or services that could compromise security.

Most importantly, we're committed to education alongside tools—helping you understand not just that a password is strong, but why it's strong and how it was created.

How often do you update your methodology to reflect new security research?

We continuously monitor developments in password security research and update our methodology when new guidelines emerge from authoritative sources like NIST, OWASP, and academic security research. For example, we updated our recommendations in 2025 to reflect NIST SP 800-63-4's finalization, which emphasizes password length (minimum 8 characters required, 15+ recommended) and eliminates mandatory periodic password changes.

However, the core cryptographic principles underlying our password generation methodology—using CSPRNGs for unpredictable randomness and maximizing entropy through sufficient length and character set size—are fundamental and unlikely to change. These principles have been well-established for decades.

We document any methodology changes on this page and in our about section to maintain transparency about our approach over time.

Experience Our Methodology in Action

Now that you understand how we generate passwords, try our tools and see cryptographic password generation in action. All our tools follow the methodology described on this page.

Explore Our Password Tools