How does this password generator work?

This generator uses crypto.getRandomValues() from the Web Crypto API with rejection sampling to eliminate modulo bias, ensuring every character has an equal probability of selection. It guarantees at least one character from each selected character set, then shuffles with a crypto-secure Fisher-Yates algorithm to avoid positional bias.

Are generated passwords stored or transmitted?

No. This generator runs entirely client-side in your browser. No passwords are transmitted, stored, or logged on any server.

What is a Secret Key and when should I use it?

A Secret Key in this tool generates a base64url-safe string using characters A-Z, a-z, 0-9, -, and _. These are ideal for machine secrets, API keys, and .env variables because they work anywhere without escaping.

What is rejection sampling and why does it matter?

Rejection sampling eliminates modulo bias — a subtle flaw where some characters are selected slightly more often than others when mapping random numbers to a character pool. By discarding values that would cause bias and resampling, every character has a mathematically equal probability of being chosen.

Secure Password Generator | Crypto-Secure Random Passwords

Q: What makes a strong password?

A strong password has high entropy — a large number of possible combinations. The key factors are length (each additional character multiplies combinations), character diversity (using uppercase, lowercase, numbers, and symbols expands the pool), and true randomness from a cryptographic source. A 20-character password from a 93-character pool has roughly 130 bits of entropy.

What This Tool Does

Generates random passwords using crypto.getRandomValues() from the Web Crypto API.
Uses rejection sampling to eliminate modulo bias, ensuring every character in the pool has an equal probability of being selected
Guarantees at least one character from each selected character set, then shuffles with a crypto-secure Fisher-Yates algorithm to avoid positional bias
Calculates and displays real-time entropy in bits so you can gauge password strength against brute-force attacks
Generates base64url-safe secrets for machine secrets and environment variables

This generator runs entirely client-side. No passwords are transmitted, stored, or logged on any server.

What Makes a Strong Password

Password strength comes down to entropy, which is the number of possible combinations an attacker would need to try. A password with 128 bits of entropy would take billions of years to crack with current hardware.

There are a few key factors that determine entropy:

Length matters most. Each additional character multiplies the number of possible combinations. A 20-character password from a 93-character pool has roughly 130 bits of entropy, which is well beyond what brute-force attacks can touch.
Character diversity helps. Using uppercase, lowercase, numbers, and symbols expands the pool of possible characters. A password drawn from all four sets (93 characters) is significantly stronger than one using only lowercase letters (26 characters) at the same length. That said, NIST SP 800-63B-4 no longer recommends requiring mixed character types as policy. Forced complexity rules tend to produce predictable patterns. For randomly generated passwords, though, a larger character pool directly increases entropy.
Randomness is non-negotiable. A long password like aaaaaaaaaaaaaaaa has zero effective entropy because it's trivially guessable. True randomness from a cryptographic source is what turns length and diversity into actual security.
Avoid dictionary words and patterns. Attackers don't just brute-force; they use wordlists, common substitutions (like @ for a), and keyboard patterns. Randomly generated passwords sidestep all of these attack vectors.
Never reuse passwords. Even a strong password becomes a liability if it's used across multiple services. A breach on one site gives attackers the key to every other account using the same credentials. Use a unique password for every service and store them in a password manager.

The entropy values shown by this tool assume the password is generated randomly from the full selected character pool. Human-chosen passwords with the same characters will have significantly lower effective entropy due to predictable patterns.

References & Specifications

The following standards and resources are relevant to password security and authentication best practices:

NIST SP 800-63B-4 — Authentication & Authenticator Management Current federal standards for authentication, including updated password length requirements and the removal of arbitrary complexity rules.
OWASP Authentication Cheat Sheet Practical guidance on implementing secure authentication systems, including password policies.
OWASP Password Storage Cheat Sheet Best practices for securely hashing and storing passwords, including recommendations for Argon2, bcrypt, salting, and password verification.
RFC 4086 — Randomness Requirements for Security Defines what constitutes cryptographically strong randomness and why it matters for security applications.