🍋
peasy / dev
Menu
Alle Tools Anleitungen 140 Glossar 65 Dateiformate 131 Anwendungsfaelle 302 API

Categories

P pdf I image D document T text D developer C css D design V video A audio Q qr S seo S security S social M math G generator
🍋 peasytools.com
How-To Beginner 2 min read 488 words

How to Generate Secure Random Passwords

Weak passwords remain the leading cause of account compromises. This guide explains the principles behind cryptographically secure password generation and how to create strong, memorable passwords for different use cases.

Key Takeaways

  • A password's strength is measured by its entropy — the number of bits of randomness it contains.
  • Entropy per character depends on the size of the character set.
  • JavaScript's `Math.random()` uses a pseudo-random number generator (PRNG) that is not cryptographically secure.
  • The classic approach: generate a string of random characters from a defined character set.
  • For password manager master passwords, use a 5-6 word passphrase (minimum 64 bits entropy).
Featured Tool

Password Generator

Generate strong, random passwords

Try it Free

Why Password Strength Matters

A password's strength is measured by its entropy — the number of bits of randomness it contains. Each bit doubles the number of possible combinations. A 40-bit password has roughly one trillion possible values, while an 80-bit password has over a sextillion. Modern password-cracking hardware can test billions of combinations per second, so high entropy is essential.

Understanding Entropy

Character Set Size

Entropy per character depends on the size of the character set. Lowercase letters only (26 characters) provide about 4.7 bits per character. Adding uppercase doubles the set to 52 characters (5.7 bits each). Including digits brings it to 62 characters (5.95 bits each). Adding symbols reaches 94+ characters (about 6.5 bits each).

Length vs Complexity

Length is more important than complexity. A 20-character lowercase password (94 bits) is stronger than a 12-character mixed-case-symbol password (78 bits). Longer passwords are also easier to type correctly and less likely to trigger frustrating 'invalid password' errors.

Cryptographic Randomness

Why Math.random() Is Not Enough

JavaScript's Math.random() uses a pseudo-random number generator (PRNG) that is not cryptographically secure. Its output can be predicted if the internal state is known. For password generation, always use crypto.getRandomValues() (Web Crypto API), which draws from the operating system's cryptographically secure random number generator.

Client-Side Generation

Generating passwords in the browser means the password never travels over the network and never exists on a server. This is the most private approach — the password exists only in the user's browser memory and clipboard. Tools that process everything client-side provide this guarantee by design.

Password Generation Strategies

Random Character Strings

The classic approach: generate a string of random characters from a defined character set. A 16-character string from the full printable ASCII set provides about 104 bits of entropy — well above the recommended minimum of 80 bits for sensitive accounts.

Passphrase Method (Diceware)

Select random words from a large word list (typically 7,776 words, matching the number of outcomes from five dice rolls). Each word contributes about 12.9 bits of entropy. A four-word passphrase provides 51.6 bits, while six words reach 77.5 bits. Passphrases are significantly easier to remember and type than random character strings.

Pronounceable Passwords

Some generators create passwords that follow phonetic rules — alternating consonants and vowels — making them easier to read aloud and remember. The trade-off is lower entropy per character, so these passwords need to be longer to match the strength of fully random strings.

Practical Recommendations

For password manager master passwords, use a 5-6 word passphrase (minimum 64 bits entropy). For individual account passwords managed by a password manager, use 20+ random characters — you never need to remember them. For WiFi passwords shared verbally, use a 4-word passphrase with no ambiguous characters. Always verify the generated password by copying it to a visible field before committing it to a password change form.

Verwandte Tools

P Password Generator P Password Strength Checker H Hash Generator H HMAC Generator A AES Encrypt / Decrypt R Random String Generator C CSP Header Generator T Text Redactor C CORS Header Generator S SRI Hash Generator B Base64 Encoder / Decoder J JWT Decoder U UUID Generator T TOTP Configurator S SSL Certificate Decoder

Verwandte Anleitungen

How to Check if Your Password Has Been Compromised

Data breaches expose millions of passwords regularly. Learn how to check whether your credentials have been leaked without risking further exposure, using k-anonymity-based services and local hash comparison.

Password Managers Compared: Features That Matter

A password manager is the single most impactful security tool for most people. This comparison covers the key features to evaluate when choosing a password manager for personal or team use.

How to Strip EXIF Metadata From Photos for Privacy

Photos contain hidden metadata including GPS coordinates, device info, and timestamps. Before sharing photos online, learn how to remove this data to protect your privacy and prevent location tracking.

Encryption Best Practices for Personal Data

Encryption protects your data from unauthorized access, whether stored on your devices or transmitted over the internet. This guide covers practical encryption strategies for personal data protection.

Troubleshooting SSL/TLS Certificate Errors

SSL/TLS certificate errors prevent secure connections and scare away visitors. This guide explains common certificate warnings, their causes, and step-by-step fixes for website operators and visitors.