Random Password Generator — What Makes a Password Truly Random

The password Tr0ub4dor&3 feels random. It’s not. It follows a pattern that password crackers are explicitly designed to generate: a dictionary word, letter substitutions, appended special character, appended digit. A cracker running rule-based mutations on a dictionary will generate this password in seconds.

True randomness doesn’t feel random to humans. x7Kp#mQ2vL@R looks harder than Tr0ub4dor&3 but has the same entropy if generated from a proper character set. What matters is the generation process — not whether the result looks random to human eyes.

Use the Password Generator to generate cryptographically random passwords and passphrases.

What makes randomness “cryptographic”

Pseudorandom vs cryptographically secure pseudorandom

All computer-generated randomness is technically pseudorandom — computed from a mathematical function, not from physical entropy. The distinction that matters:

Pseudorandom Number Generator (PRNG): Math.random() in JavaScript, random.random() in Python. Seeded with a predictable value (often current timestamp). If an attacker knows the seed, they can predict all outputs.

Cryptographically Secure PRNG (CSPRNG): crypto.getRandomValues() in browsers, secrets module in Python. Seeded from OS-collected entropy (hardware events, timing variations, network activity). The seed is effectively unguessable.

For password generation, only CSPRNGs are acceptable. Using Math.random() to generate passwords is a security flaw.

// WRONG — not cryptographically secure:
function randomChar(charset) {
  return charset[Math.floor(Math.random() * charset.length)];
}

// CORRECT — uses CSPRNG:
function randomChar(charset) {
  const randomIndex = crypto.getRandomValues(new Uint32Array(1))[0];
  return charset[randomIndex % charset.length];
}

The Password Generator uses the Web Crypto API (crypto.getRandomValues()) — a CSPRNG backed by the operating system’s entropy pool.

Password entropy: how randomness translates to strength

Password strength is measured in bits of entropy — the log base 2 of the total number of possible passwords.

Entropy (bits) = log₂(character_space_size ^ password_length)

For a 12-character password from a 72-character set (lowercase + uppercase + digits + 10 common symbols):

Entropy = log₂(72^12) = 12 × log₂(72) = 12 × 6.17 = 74 bits

At 100 billion guesses per second (aggressive GPU cracking):

Expected time to crack = 2^74 / 10^11 seconds ≈ 189 million years

At 14 characters from the same set: 86 bits — computationally infeasible forever at any realistic attack rate.

Character set size vs password length

Adding 2 characters to the password length is roughly equivalent to adding more character types. A 16-character lowercase password has more entropy than a 12-character password with all character types.

What password crackers do

Understanding how passwords are cracked tells you exactly what to avoid:

Dictionary attacks

Try every word in a dictionary. 1 billion words per second on modern hardware. A single dictionary word is cracked in milliseconds.

Rule-based mutations

Combine dictionary words with transformation rules:

• Capitalize first letter: password → Password
• Append digits: password → password123
• Leet speak: password → p@ssw0rd
• Reverse: password → drowssap
• Append special character: password → password!

Hashcat includes 64,000 rule combinations. A “complex” password built from a dictionary word + rules is cracked faster than a short random password.

Hybrid attacks

Dictionary words concatenated: swordfish + dragon = swordfishdragon. Still cracked fast because both components are dictionary words.

Brute force

Try every possible combination in order. Effective for short passwords. At 100 billion guesses/second:

• 8 chars, 95 symbols: ~9 hours
• 10 chars, 95 symbols: ~35 years
• 12 chars, 95 symbols: ~32,000 years

12+ character random passwords are immune to brute force with current hardware.

Credential stuffing

Try passwords breached from other sites. If you reuse passwords, a breach at one service compromises your accounts at all services. This is the most common real-world attack — not brute force.

The mitigation: unique password for every account. A password manager makes this feasible.

What to configure in a password generator

Length

Minimum: 16 characters for any account that matters. 20+ for high-security accounts (email, banking, work systems). There’s no practical reason to use fewer than 16 in 2026 — password managers handle the typing.

Character sets

Most sites accept: lowercase, uppercase, digits, symbols. Some have restrictions (no special characters, or only specific symbols).

If the site accepts all character types:

• Use all of them
• 95 character set × 16 chars = 105 bits — never brute-forceable

If the site only allows alphanumeric (common on some legacy systems):

• Compensate with length: 20+ characters
• 62 character set × 20 chars = 119 bits — still secure

Avoiding ambiguous characters

Some generators offer to exclude visually ambiguous characters: 0 vs O, 1 vs l vs I. This is useful only if you need to type the password (which you shouldn’t — use a password manager). Excluding these characters slightly reduces entropy but the practical impact is negligible for passwords over 12 characters.

Using passwords correctly

Never reuse passwords

Every account needs a unique password. Credential stuffing attacks test breached credentials across thousands of sites automatically. A single reused password from a minor data breach unlocks every account that shares it.

Store in a password manager

1Password, Bitwarden, KeePass, Dashlane — these are the correct storage mechanism. A password manager:

• Generates secure random passwords
• Stores them encrypted with a single master password
• Auto-fills on websites (resists phishing — it checks the domain name)
• Syncs across devices

If you’re not using a password manager, you’re either reusing passwords or using passwords that are too short and pattern-based.

Use MFA wherever possible

Even a strong, unique password can be compromised by phishing (you type it into a fake site) or keylogging. Multi-factor authentication (TOTP apps, hardware keys) adds a second layer that’s immune to password theft.

Password policy failures

Counterproductive password policies that make passwords weaker:

Mandatory periodic rotation. Forcing password changes every 90 days leads users to increment a number (Password1! → Password2!). NIST SP 800-63B (2017) explicitly recommends against mandatory rotation. Change passwords only when evidence of compromise exists.

Maximum length limits. Some sites cap passwords at 16 or 20 characters — preventing strong random passwords. If you encounter this, it’s a red flag about the site’s security practices (suggests passwords may be stored in a fixed-size field, possibly without proper hashing).

Composition rules that exclude characters. “Password must contain a digit and a special character but not the following symbols: !@#$%” — these arbitrary restrictions reduce the valid character space and make passwords less random-feeling and harder to generate correctly.

The Password Generator on Xerobit

The Password Generator uses crypto.getRandomValues() in the browser — CSPRNG-quality randomness. Generated passwords are never transmitted to a server. The generator supports:

• Adjustable length (8–128 characters)
• Character set configuration
• Passphrase mode (dictionary words)
• Bulk generation

Related tools

• Password Generator — generate cryptographically random passwords
• Hash Generator — hash passwords with MD5, SHA-256
• UUID Generator — generate cryptographically random unique IDs