How to Generate Secure Random Passwords

Why Password Strength Matters

A password's strength is measured by its entropy — the number of bits of randomness it contains. Each bit doubles the number of possible combinations. A 40-bit password has roughly one trillion possible values, while an 80-bit password has over a sextillion. Modern password-cracking hardware can test billions of combinations per second, so high entropy is essential.

Understanding Entropy

Character Set Size

Entropy per character depends on the size of the character set. Lowercase letters only (26 characters) provide about 4.7 bits per character. Adding uppercase doubles the set to 52 characters (5.7 bits each). Including digits brings it to 62 characters (5.95 bits each). Adding symbols reaches 94+ characters (about 6.5 bits each).

Length vs Complexity

Length is more important than complexity. A 20-character lowercase password (94 bits) is stronger than a 12-character mixed-case-symbol password (78 bits). Longer passwords are also easier to type correctly and less likely to trigger frustrating 'invalid password' errors.

Cryptographic Randomness

Why Math.random() Is Not Enough

JavaScript's Math.random() uses a pseudo-random number generator (PRNG) that is not cryptographically secure. Its output can be predicted if the internal state is known. For password generation, always use crypto.getRandomValues() (Web Crypto API), which draws from the operating system's cryptographically secure random number generator.

Client-Side Generation

Generating passwords in the browser means the password never travels over the network and never exists on a server. This is the most private approach — the password exists only in the user's browser memory and clipboard. Tools that process everything client-side provide this guarantee by design.

Password Generation Strategies

Random Character Strings

The classic approach: generate a string of random characters from a defined character set. A 16-character string from the full printable ASCII set provides about 104 bits of entropy — well above the recommended minimum of 80 bits for sensitive accounts.

Passphrase Method (Diceware)

Select random words from a large word list (typically 7,776 words, matching the number of outcomes from five dice rolls). Each word contributes about 12.9 bits of entropy. A four-word passphrase provides 51.6 bits, while six words reach 77.5 bits. Passphrases are significantly easier to remember and type than random character strings.

Pronounceable Passwords

Some generators create passwords that follow phonetic rules — alternating consonants and vowels — making them easier to read aloud and remember. The trade-off is lower entropy per character, so these passwords need to be longer to match the strength of fully random strings.

Practical Recommendations

For password manager master passwords, use a 5-6 word passphrase (minimum 64 bits entropy). For individual account passwords managed by a password manager, use 20+ random characters — you never need to remember them. For WiFi passwords shared verbally, use a 4-word passphrase with no ambiguous characters. Always verify the generated password by copying it to a visible field before committing it to a password change form.