How SecurePass Works
We believe security tools should be transparent. Here's exactly how your passwords are generated and why it's safe.
100% Client-Side
Every password is generated directly in your browser using JavaScript. No data is ever sent to a server — not even anonymously. You can verify this by opening DevTools and checking the Network tab.
Cryptographic Randomness
We use the Web Crypto API's crypto.getRandomValues(), which provides cryptographically secure random numbers from your operating system's entropy pool. This is the same API used by professional security tools — far superior to Math.random().
Shannon Entropy
Password strength is measured using Shannon entropy: H = L × log₂(N), where L is the password length and N is the size of the character set. A password with 80+ bits of entropy would take longer than the age of the universe to brute-force.
Zero Data Retention
SecurePass stores nothing permanently. The optional History feature uses sessionStorage, which is wiped the moment you close your browser tab. We use no cookies, no analytics, no logs.
Fisher-Yates Shuffle
After assembling required characters from each enabled set, we shuffle the result using the Fisher-Yates algorithm with cryptographic randomness. This ensures the first character isn't always uppercase, making the password truly random.
Frequently Asked Questions
Is this tool actually safe to use?
Yes. Passwords are generated entirely in your browser and never transmitted anywhere. Open your browser DevTools, go to the Network tab, and generate a password — you'll see zero network requests.
How long should my password be?
For most accounts, 16 characters with mixed case, numbers, and symbols gives ~100 bits of entropy — effectively uncrackable. For critical accounts (banking, email), use 24+ characters.
Should I use a passphrase or a password?
Passphrases (like 'correct-horse-battery-staple') are great for things you need to type or remember. Random passwords are better for accounts managed by a password manager.
What is entropy and why does it matter?
Entropy measures randomness in bits. Each bit doubles the number of possible combinations. At 80 bits, there are 2^80 ≈ 10^24 combinations — at a trillion guesses per second, this takes billions of years.
Why exclude ambiguous characters?
Characters like 0 (zero) and O (capital-O), or 1 and l (lowercase-L) look identical in many fonts. Excluding them prevents transcription errors when manually copying passwords.