Password Generator

Generate strong, cryptographically random passwords of any length.

// status READY
// transport localhost · 0 bytes uploaded
// id 0xF494
password-generator.sh 0xF494
# password-generator.md

Why "Correct Horse Battery Staple" Beats "P@ssw0rd123!"

In 2011, the XKCD comic #936 made a calculation that changed how security professionals think about passwords. "Tr0ub4dor&3" — a word with common substitutions and a punctuation suffix — is hard to remember but easy to crack algorithmically because password crackers are programmed to try dictionary words with l33t-speak substitutions first. "correct horse battery staple" — four random common words — has more entropy (44 bits vs. approximately 28 bits) and is trivially memorable. The insight: character complexity and memorability are often inversely correlated, while length and entropy are the factors that actually determine resistance to attack.

This tool generates passwords using the browser's crypto.getRandomValues API — the same cryptographic random source used by HTTPS implementations and operating system key generation. It does not use Math.random(), which is a pseudorandom number generator unsuitable for security because its output is statistically predictable given a small number of observed values.

The Mathematics of Password Length

Entropy is measured in bits: log2(character set sizelength). A password from a 95-character printable ASCII set has entropy of log2(95) ≈ 6.57 bits per character. Practical thresholds:

  • 8 characters / 95-char set ≈ 52 bits: crackable offline with a high-end GPU cluster in hours to days against weak hashing (MD5/SHA1).
  • 12 characters ≈ 79 bits: computationally infeasible offline against bcrypt (cost 10) — would take millions of years.
  • 16 characters ≈ 105 bits: overkill for nearly all threat models; recommended for password manager master passwords.
  • 20+ characters ≈ 131 bits: appropriate for cryptographic keys and seed phrases.

The gap between 8 and 12 characters looks small numerically but represents a factor of 954 ≈ 81 million times more combinations — which translates to millions of years of cracking time against properly hashed passwords.

Symbol Requirements Are Security Theater When Poorly Implemented

Many sites require "at least one uppercase, one lowercase, one digit, one symbol" but cap length at 12 or 16 characters. This constraint actually reduces entropy by reducing the user's effective character space while giving the illusion of security. A 20-character lowercase password from 26 characters has roughly 94 bits of entropy; a 12-character "complex" password from 95 characters has 79 bits — the longer all-lowercase password is more secure. If a site forces complexity rules and caps length, the only winning move is using a randomly generated password that satisfies the constraints, which is exactly what this tool does.

How to Use This Tool

  1. Set your desired length (12 minimum; 20+ recommended for high-value accounts).
  2. Choose character classes to include. Disable symbols only if the target site explicitly rejects them.
  3. Click "Generate" for a new random password.
  4. Click "Copy" and paste immediately into a password manager — do not type passwords generated here into the address bar or search box.

## man password-generator

?> How is crypto.getRandomValues different from Math.random()?

Math.random() is a pseudorandom number generator (PRNG) seeded from system time or a small entropy source — its output is statistically predictable if you know the seed. crypto.getRandomValues uses the operating system's cryptographically secure random source (equivalent to /dev/urandom on Linux), which has hundreds of bits of seed entropy. Only the latter is appropriate for security-sensitive generation.

?> A site caps passwords at 12 characters. Does length still matter?

Yes, but less dramatically. At 12 characters from a 95-character set you have about 79 bits of entropy, which is strong against offline brute force if the site uses bcrypt or Argon2. The real risk with short caps is that sites imposing them often also use weak password hashing — check the site's security disclosure if available.

?> Should I use a passphrase or a random character password?

Passphrases (4–5 random dictionary words) are excellent for passwords you must type from memory — master passwords, disk encryption keys. Random character passwords are better for everything stored in a password manager, because memorability is irrelevant and they are shorter per bit of entropy.

?> Is it safe to generate passwords in a browser tab?

Yes, with a caveat: the generation itself uses a secure API and nothing is transmitted. The risk is your clipboard — generated passwords that sit in the clipboard can be read by any application with clipboard access. Paste immediately and avoid storing passwords in clipboard managers that sync to cloud services.