How Our Password Generator Works
Cryptographically Secure
PasswordGenerator101 uses industry-standard cryptographic techniques to generate passwords that are truly random and secure. This article explains the technology behind the tool and why it matters for your security.
The Problem with "Random"
Not all random number generators are created equal. Many programming languages include built-in random functions that are fine for games or simulations but dangerously predictable for security purposes.
Critical distinction: Math.random() in JavaScript is a Pseudo-Random Number Generator (PRNG) that uses a predictable algorithm. If an attacker knows the seed value, they can reproduce the entire sequence of "random" numbers—including your passwords.
What is CSPRNG?
A Cryptographically Secure Pseudo-Random Number Generator (CSPRNG) is specifically designed for security applications. It provides randomness that is:
- Unpredictable: Even knowing previous outputs, attackers cannot predict future values
- Non-reproducible: The sequence cannot be recreated without access to the system's internal state
- High entropy: Draws from multiple sources of randomness in your system
- Cryptographically validated: Meets rigorous security standards (NIST SP 800-90A)
The Web Crypto API
Modern browsers include the Web Crypto API, which provides access to a CSPRNG through the crypto.getRandomValues() method. This is the same randomness source used for:
- TLS/SSL encryption (HTTPS connections)
- Generating cryptographic keys
- Secure session tokens
- Digital signatures
Our Algorithm: Step by Step
Here's exactly how PasswordGenerator101 creates your passwords:
1
Build the Character Pool
Based on your selected options (uppercase, lowercase, numbers, symbols), we construct a string containing all possible characters. For maximum security, this includes 90+ unique characters.
2
Request Cryptographic Random Values
We call crypto.getRandomValues() to fill a typed array with random 32-bit unsigned integers. Each integer is generated from your system's entropy pool.
3
Map Random Values to Characters
For each position in the password, we use modular arithmetic to map the random integer to a character in our pool. This ensures uniform distribution across all possible characters.
4
Display and Calculate Strength
The generated password is displayed in your browser. We calculate entropy based on character pool size and length, then show a strength indicator.
The Actual Code
Here's a simplified version of our password generation logic:
const charSets = {
uppercase: 'ABCDEFGHIJKLMNOPQRSTUVWXYZ',
lowercase: 'abcdefghijklmnopqrstuvwxyz',
numbers: '0123456789',
symbols: '!@#$%^&*()_+-=[]{}|;:,.<>?'
};
function generatePassword(length, options) {
let chars = '';
if (options.uppercase) chars += charSets.uppercase;
if (options.lowercase) chars += charSets.lowercase;
if (options.numbers) chars += charSets.numbers;
if (options.symbols) chars += charSets.symbols;
const array = new Uint32Array(length);
crypto.getRandomValues(array);
let password = '';
for (let i = 0; i < length; i++) {
password += chars[array[i] % chars.length];
}
return password;
}
You can verify this code by viewing the source of our homepage (right-click → View Page Source).
CSPRNG vs PRNG: A Comparison
Understanding the difference between cryptographic and standard random number generators is crucial for security:
| Property |
Math.random() (PRNG) |
crypto.getRandomValues() (CSPRNG) |
| Predictability |
Predictable if seed is known |
Computationally infeasible to predict |
| Entropy Source |
Algorithm-based, single seed |
Hardware + OS entropy pool |
| Security Standard |
No security guarantees |
NIST SP 800-90A compliant |
| Use Cases |
Games, simulations, non-security |
Passwords, encryption, tokens |
| Browser Support |
All browsers |
All modern browsers (IE11+) |
Entropy Sources in Modern Systems
When you call crypto.getRandomValues(), your browser requests randomness from the operating system, which gathers entropy from multiple sources:
- Hardware random number generators: Intel RDRAND/RDSEED, ARM RNDR
- Interrupt timing: Precise timing of keyboard, mouse, and disk events
- Network packet timing: Arrival times of network data
- Thermal noise: Electronic noise in CPU and other components
- Process scheduling: Variations in CPU scheduling timing
This combination of sources ensures that even if one source is compromised or predictable, the overall randomness remains secure.
Security note: Modern Intel and AMD processors include dedicated hardware random number generators that directly sample physical phenomena, providing true randomness rather than algorithmic pseudo-randomness.
Why Client-Side Generation Matters
PasswordGenerator101 generates all passwords directly in your browser. This architectural choice provides significant security benefits:
- No transmission risk: Your password never travels over the internet
- No server logs: We can't accidentally log what we never receive
- No database breaches: There's no password database to steal
- Offline capability: Works without an internet connection
- Verifiable: You can inspect exactly what code runs in your browser
This is why we call it a zero-knowledge architecture—we literally cannot know your passwords because they never leave your device.