Passwords are generated using the Web Crypto API (crypto.getRandomValues), which provides cryptographically secure random numbers. This is the same source of randomness used by browsers for TLS connections.

Password strength depends on entropy — the number of possible combinations. A password with 80+ bits of entropy is considered very strong. Using a mix of uppercase, lowercase, numbers, and symbols with 16+ characters achieves this easily.

Yes. All generation happens entirely in your browser using the Web Crypto API. No passwords are ever sent to any server, stored, or logged.

Entropy measures password randomness in bits. It is calculated as log2(charset_size^length). For example, a 16-character password using 94 printable ASCII characters has ~105 bits of entropy.

You can generate up to 100 passwords at once in bulk mode. Each password gets its own strength indicator and copy button.

NIST recommends at least 12 characters, but 16+ is better. A 16-character password with mixed case, numbers, and symbols would take billions of years to brute-force with current hardware. Length matters more than complexity.

Passphrases (4-6 random words like correct-horse-battery-staple) are both stronger and easier to remember than complex passwords. A 4-word passphrase has ~44 bits of entropy, equivalent to a random 8-character password.

For online accounts: 40-50 bits minimum (brute-force is rate-limited). For encryption keys and offline attacks: 80+ bits. A random 12-character alphanumeric password has ~71 bits. This tool shows entropy for every generated password.