Is this password generator safe to use?

Yes. All passwords are generated entirely in your browser using the Web Crypto API (crypto.getRandomValues). No data is sent to any server. You can verify this by checking your browser's Network tab — there are zero outgoing requests.

How long should a strong password be?

A minimum of 16 characters with uppercase, lowercase, numbers, and symbols gives about 100 bits of entropy — effectively uncrackable. For critical accounts, use 24+ characters.

Does this password generator store my passwords?

No. Passwords are never stored on any server. The optional history feature uses sessionStorage only, which is automatically cleared when you close your browser tab.

What makes a password cryptographically secure?

A cryptographically secure password uses true randomness from a CSPRNG (Cryptographically Secure Pseudo-Random Number Generator), is long enough to have high entropy, and avoids predictable patterns. SecurePass uses crypto.getRandomValues() — the same API used by professional security tools.

Can I use this password generator offline?

Yes! SecurePass works completely offline. Once the page is loaded, it requires no internet connection to generate passwords. It also includes a PWA manifest so you can install it on your device.

Passphrase vs Password: Which Is Safer?

In 2003, Bill Burr of NIST wrote the guidelines that shaped passwords for the next two decades — complexity requirements, special characters, regular changes. In 2017, he told the Wall Street Journal it was "barking up the wrong tree." The world moved to passphrases. Here's why — and when to use each.

What Is a Passphrase?

A passphrase is a sequence of random words used as a password. The classic example, coined by Randall Munroe of XKCD fame: correct-horse-battery-staple. It's long, it's memorable, and it's surprisingly strong.

What Is a Traditional Password?

A traditional random password is a string of mixed characters: xK#9mPqL@2nZ. It's hard to remember but extremely strong for its length.

Entropy Comparison

This is where it gets interesting. Passphrases draw from a large word pool (most implementations use ~2,000+ words). Each word adds log₂(2000) ≈ 11 bits of entropy.

3 random words~33 bits — Weak

4 random words~44 bits — Fair

5 random words~55 bits — Good

6 random words~66 bits — Strong

8 random words~88 bits — Excellent

16-char random password~105 bits — Excellent

A 6-word passphrase (~66 bits) is roughly equivalent in strength to a 10-character fully random password (~66 bits). But the passphrase is infinitely more memorable.

When to Use a Passphrase

✅ Master passwords for your password manager (you must memorize this)
✅ Full disk encryption (BitLocker, FileVault) — must type at boot
✅ SSH key passphrases — typed frequently
✅ Anything you need to type manually on different devices
✅ Elderly users or accessibility needs — much easier to type

When to Use a Random Password

✅ Everything stored in a password manager — you never type it
✅ Any account where the manager autofills
✅ Service accounts and API keys
✅ When maximum entropy per character is needed

The Critical Rule: Randomness Must Be Truly Random

A passphrase is only as strong as the randomness of word selection. If you pick words yourself, you'll unconsciously choose common, related, or personally meaningful words — drastically reducing entropy. Always use a tool that generates words using crypto.getRandomValues().

Similarly, a passphrase attack against truly random words requires trying every combination from the wordlist — but a passphrase attack against human-chosen words is far easier because humans are predictable.

Practical Recommendation

Use a 6-word passphrase for anything you must memorize, and a 20+ character random password for everything stored in your password manager. SecurePass generates both — the Passphrase tab creates cryptographically random word combinations instantly.