Is this password generator safe to use?

Yes. All passwords are generated entirely in your browser using the Web Crypto API (crypto.getRandomValues). No data is sent to any server. You can verify this by checking your browser's Network tab — there are zero outgoing requests.

How long should a strong password be?

A minimum of 16 characters with uppercase, lowercase, numbers, and symbols gives about 100 bits of entropy — effectively uncrackable. For critical accounts, use 24+ characters.

Does this password generator store my passwords?

No. Passwords are never stored on any server. The optional history feature uses sessionStorage only, which is automatically cleared when you close your browser tab.

What makes a password cryptographically secure?

A cryptographically secure password uses true randomness from a CSPRNG (Cryptographically Secure Pseudo-Random Number Generator), is long enough to have high entropy, and avoids predictable patterns. SecurePass uses crypto.getRandomValues() — the same API used by professional security tools.

Can I use this password generator offline?

Yes! SecurePass works completely offline. Once the page is loaded, it requires no internet connection to generate passwords. It also includes a PWA manifest so you can install it on your device.

What Is Password Entropy?

You've probably seen a "password strength meter" turn green and feel satisfied — but do you actually know what's being measured? The answer is entropy, and understanding it will completely change how you think about password security.

Entropy: The Measure of Randomness

In information theory, entropy measures uncertainty or unpredictability. For passwords, entropy quantifies how many guesses an attacker would need to crack your password through brute force.

It's measured in bits. Each additional bit of entropy doubles the number of possible passwords. So 80 bits is not twice as strong as 40 bits — it's 2^40 (over a trillion) times stronger.

The Entropy Formula Explained

H = L × log₂(N)

H = entropy in bits
L = length of the password (number of characters)
N = size of the character set used

Example Calculations

Lowercase only, 8 chars~38 bits (N=26)

Letters + numbers, 8 chars~48 bits (N=62)

All types, 12 chars~79 bits (N=94)

All types, 16 chars~105 bits (N=94)

All types, 24 chars~157 bits (N=94)

Why Does It Matter in Practice?

Modern GPU clusters can attempt hundreds of billions of password hashes per second for weak hashing algorithms (like MD5). For strong modern algorithms (bcrypt, Argon2), attacks slow dramatically — but attackers compensate with dictionary attacks and rule-based mangling.

A password with 80+ bits of pure random entropy cannot be cracked by any currently known attack, regardless of hashing algorithm. A password of 40 bits can be cracked in hours.

Why "Complex" Passwords Aren't Always Strong

Here's the crucial insight: a password like P@ssw0rd! is complex — it has uppercase, lowercase, numbers, and symbols. But its entropy is near zero because it's a predictable mangling of a common word.

Attackers don't just try random characters. They use rule-based attacks that apply transformations like: replace 'a' with '@', add '123' at the end, capitalize the first letter. These rules instantly crack most "complex" passwords that humans create manually.

True entropy comes from true randomness, not from deliberate complexity.

Entropy vs. Crack Time

Assuming 1 trillion guesses per second (aggressive offline attack with a modern GPU):

40 bits~33 minutes

50 bits~13 days

60 bits~36 years

70 bits~37,000 years

80 bits~38 million years

100 bitsLonger than the universe's age

How to Check Your Password's Entropy

Our password generator shows entropy in real time. When you generate a password, you'll see the exact bits of entropy calculated using the formula above. Aim for at least 80 bits for everyday accounts and 100+ bits for critical accounts like your email or password manager master password.

Takeaway

Entropy is the only objective measure of password strength. Ignore visual complexity (capital letters, symbols) and focus on what actually matters: length + true randomness + large character pool. A randomly generated 16-character password with all character types is infinitely harder to crack than a 20-character passphrase you came up with yourself.