> generate | secure | protect <

A: Humans are bad at creating random passwords. We tend to use predictable patterns, dictionary words, and personal information. A cryptographic password generator produces truly random, high-entropy passwords that are resistant to brute-force and dictionary attacks.

A: Very secure. This tool uses crypto.getRandomValues(), a CSPRNG built into your browser's Web Crypto API. The passwords are generated entirely on your device and never transmitted anywhere. The entropy display shows the actual mathematical strength of each password.

A: Entropy measures password strength in bits. It is calculated as log2(pool_size^length). A 16-character password using uppercase, lowercase, numbers, and symbols (~88 characters) has about 103 bits of entropy. Generally, 80+ bits is considered strong for most purposes.

A: For most accounts, 16 characters or more is recommended. For high-security applications, use 20-32 characters. The minimum acceptable length for any password is 12 characters. Longer passwords with diverse character sets provide exponentially more security.

A: Both can be secure. Random passwords are shorter but harder to remember. Passphrases (like 'correct-horse-battery-staple') are longer but more memorable. For machine-generated credentials, random passwords are preferred. For passwords you must type regularly, consider a passphrase with a password manager.

A: Set LENGTH to 16, enable all four character classes (uppercase, lowercase, numbers, symbols) and press [GENERATE]. A 16-character password with the full 88-character pool has roughly 103 bits of entropy — strong enough for bank accounts, SSH keys, and enterprise SSO. If your site rejects certain symbols, toggle them off; the entropy meter updates live to show how much strength the restriction costs you.

A: The algorithm itself is simple — the source of randomness is what matters. A secure password generator must:
1. Use a CSPRNG (cryptographically secure pseudo-random number generator) — in the browser, that's crypto.getRandomValues(); in Node.js, crypto.randomBytes(); in Python, secrets.choice().
2. Use rejection sampling to avoid modulo bias when mapping random bytes to a character pool.
3. Run client-side only — the password should never be sent over the wire before you use it.
Tools that rely on Math.random(), timestamps, or server-side generation fail #1 or #3 and should not be trusted.

A: "True randomness" in a browser means the output comes from the operating system's entropy pool via the Web Crypto API. Our tool calls crypto.getRandomValues(new Uint32Array(n)), which reads from /dev/urandom on Linux/macOS, BCryptGenRandom on Windows, or a hardware RNG (on modern CPUs with RDRAND). The passwords are statistically indistinguishable from true randomness and cannot be predicted even if an attacker knows every password ever generated on this device.

A: Yes. Set COUNT to any value up to 20 and press [GENERATE] to receive a list. Each password is generated independently with fresh entropy — no two will share a prefix or structure. Bulk mode is handy when provisioning new accounts, rotating secrets across a fleet, or preparing a lab environment. You can then copy the whole list at once.

A: They all describe the same action: producing a new high-entropy credential. Common variants you'll see in the wild include password generator free, generate password online, secure password creator, random password generator, and generate random password. Our tool covers every variant with identical strong defaults — open the page, click [GENERATE], copy.

A: No. Generation is 100% client-side JavaScript — the password never reaches our server, and we don't set analytics cookies on the generator. You can verify this by opening your browser's Network tab while clicking [GENERATE]: no outbound request is made. We also recommend generating inside a password manager (1Password, Bitwarden, KeePassXC) whenever possible so the credential is saved before you can accidentally lose it.