When you click "Generate Password" in a password tool, the output looks random — but how random is it, really? Understanding what makes a password generator secure helps you trust the tool you are using and make better choices about password length and complexity. This guide explains the technical mechanisms behind secure password generation without requiring a computer science background.
The Problem With Human-Generated Passwords
People are poor random number generators. When asked to pick a "random" character, humans show strong biases: we favour letters over numbers, avoid unusual symbols, prefer characters in the middle of a keyboard, and create patterns that feel random but are predictable (like substituting @ for A or 3 for E). Attackers exploit these patterns using rules-based cracking tools that try common substitutions before brute force. A genuinely random password has none of these predictable patterns.
What Makes a Password Generator Secure
Secure password generators use a Cryptographically Secure Pseudo-Random Number Generator (CSPRNG) — a random number generator specifically designed to be unpredictable even to an observer who knows the algorithm. Modern browsers expose this through the window.crypto.getRandomValues() API, which draws from the operating system's entropy pool (fed by hardware events like mouse movements, keystroke timings, and hardware sensors). This is fundamentally different from Math.random(), which is fast but not cryptographically secure and should never be used for security-sensitive purposes.
How the EasyPZ Password Generator Works
The Password Generator uses window.crypto.getRandomValues() to produce random byte values, which are then mapped to the character set you select (lowercase, uppercase, numbers, symbols). The mapping is done carefully to avoid introducing bias — a common mistake in naive implementations is taking a random number modulo the character set size, which slightly favours lower-numbered characters when the character set size does not divide evenly into the random number range. A proper implementation uses rejection sampling to eliminate this bias.
Crucially, the tool runs entirely in your browser. No passwords are sent over the internet, stored on any server, or logged anywhere. The generated password exists only in your browser session.
Password Entropy — Why Length Matters More Than Complexity
Password security is measured in entropy — the number of possible passwords an attacker would need to try to guarantee finding yours. Entropy depends on both the character set size and the password length. A 12-character password using all 94 printable ASCII characters has approximately 79 bits of entropy, meaning an attacker would need to try up to 2^79 combinations. Adding one more character adds about 6.5 bits — more than adding an entire new character type to a short password. In practice, a 16-character password using only lowercase letters is stronger than a 10-character password using all character types.
Recommended Password Lengths
- 16+ characters: Recommended for all accounts. With the full character set, this provides over 100 bits of entropy — well beyond what any current attack can crack.
- 12 characters: Minimum for important accounts (email, banking). Adequate today but shorter than ideal given hardware improvements.
- 8 characters: Commonly required as a minimum by websites. Considered weak by modern standards — too short if attackers can try billions of guesses per second offline.