Password tools

The Truth About Password Generators: Are They Really Random?

By Marcus Hale · · 9 min read

A password generator that runs in your browser using cryptographic randomness produces genuinely unpredictable passwords. A generator that relies on Math.random(), sends data to a server, or uses a predictable algorithm does not. The difference matters, and it is invisible unless you know what to look for.

Every few months someone posts a thread asking whether online password generators are secretly logging passwords, reusing seeds, or just faking the whole thing. The suspicion is understandable: you type a website, click a button, and a password appears. How do you know the site itself did not keep a copy?

The short answer is that a well-built client-side generator is safe — not because you have to take the developer's word for it, but because the browser makes that guarantee technically enforceable. This article walks through how it works, what could go wrong, and how to pick a generator you can trust.

Two kinds of "random"

Most programming languages offer two ways to generate random numbers. The difference between them is the difference between a generator you can trust and one you should not.

Pseudo-random number generators (PRNGs) — These are what you get from JavaScript's Math.random() or Python's random module. They start from a seed value and apply a deterministic mathematical formula to produce a stream of numbers that look random. Given the same seed, they produce exactly the same sequence. They are fast and fine for games, shuffling a playlist, or picking a background colour, but they are not suitable for security. An attacker who knows the algorithm and can narrow down the seed can reconstruct the entire output sequence.

Cryptographically secure pseudo-random number generators (CSPRNGs) — These use entropy gathered from your device hardware — mouse timings, keystroke intervals, disk latency, thermal noise — as a seed source that is genuinely unpredictable. On modern browsers this is exposed through the Web Crypto API, specifically Crypto.getRandomValues(). The output cannot be reconstructed even if an attacker knows the algorithm, because the seed itself is unknowable.

Bottom line: If a generator uses Math.random(), do not use it for anything you actually care about. If it uses Crypto.getRandomValues() or Web Crypto API, the randomness is as strong as what your operating system uses for encryption keys.

Client-side vs server-side: the real privacy question

Even a perfect randomness source is useless if the generated password is transmitted to a server. Some online generators work by making an API call to a backend that generates the password and sends it back. That means the server can log it, and you have no way to verify it does not.

The safest approach is client-side generation — the entire process happens in your browser, using JavaScript that loads when the page opens and executes locally. No network requests are made at any point. You can verify this by opening your browser's developer tools, clicking the Network tab, and watching to see if any data is sent when you hit "Generate." If the network log stays silent, the password never left your device.

That is exactly how our free password generator works. The page is entirely static HTML, CSS, and JavaScript served from a CDN. Every password is generated locally using the Web Crypto API. Nothing is logged, stored, or transmitted. You can even save the page and run it offline.

Rejection sampling: the trick that keeps passwords fair

A subtle problem: if you ask a generator for a 20-character password that must include a digit, a symbol, and a capital letter, the naive approach is to generate characters until you happen to get one from each required category. That pushes the output toward more common characters and away from truly uniform randomness.

The better approach is rejection sampling. The generator picks a random value from the full character set and simply discards any result that falls outside the subset needed for each position. It sounds wasteful, but it is fast enough that the user never notices, and it guarantees every character comes from a uniform distribution. If the generator you use does not mention rejection sampling or "uniform distribution," it is probably taking shortcuts with the randomness quality.

Length is still king

None of this technical detail matters if the passwords you generate are too short. A perfect CSPRNG generating a 6-character password still produces something a hacker's rig could crack in minutes. The strength comes from the combination of genuine randomness and sufficient length.

Here is what 16 characters of genuine cryptographic randomness looks like against real-world attack speeds, assuming standard brute-force:

  • 6 characters — cracked in seconds
  • 8 characters — cracked in hours
  • 12 characters — years to centuries depending on complexity
  • 16 characters — thousands of years even at top-end cracking speeds
  • 20+ characters — effectively uncrackable by brute force

These figures assume the attacker is going after a properly hashed password (bcrypt, Argon2id). If the site stores passwords in plain text, no generator can save you — and that is the site's fault, not yours.

What about password managers with built-in generators?

Most password managers include a password generator. NordPass, Bitwarden, 1Password and Dashlane all use CSPRNGs to generate passwords locally on your device. These are excellent options because the generated password goes straight into the vault and never appears in plain text outside the app. If you already use a password manager, its built-in generator is the most convenient option.

That said, a dedicated online generator has advantages for certain use cases. You might want to generate a password without signing into your vault on a shared device, create temporary passwords for guest accounts, or test different password patterns quickly. A well-built client-side tool fills that niche without compromising security.

How to check whether a generator is trustworthy

  1. Open DevTools. Press F12 or Ctrl+Shift+I, go to the Network tab, and click "Generate." If any requests appear, the password is going somewhere.
  2. Check the source code. Search the page's JavaScript for getRandomValues. If you find Math.random instead, walk away.
  3. Look for offline capability. If the page works after disconnecting from the internet, it proves client-side generation.
  4. Read the privacy policy. If the generator claims not to store passwords but the privacy policy collects data indiscriminately, the site is not worth your trust.

If you want to see what a properly built client-side generator looks like, try ours on the password generator page. The entire source is visible in your browser — no server calls, no tracking, no tricks.

The short version

Yes, a well-built password generator creates genuinely random passwords you can trust. The key safeguards are client-side execution, cryptographic randomness (getRandomValues), rejection sampling, and a transparent privacy policy that explicitly states nothing is stored. If a tool meets all four criteria, you can use it with confidence.

Curious how strong your current passwords are? Drop one into our password strength analyser — it runs locally in your browser too, and it will tell you the entropy, estimated crack time, and exactly which bits to improve.

Frequently asked questions

Are free online password generators safe?

Yes, if they run entirely in your browser using Web Crypto API (client-side). No data is sent to any server. Avoid tools that require accounts or claim to store your generated passwords.

Do password generators actually create random passwords?

Good ones do. They use the browser's built-in cryptographic random number generator (Crypto.getRandomValues), which is the same randomness your operating system uses for encryption. Avoid generators that rely on Math.random(), which is not cryptographically secure.

Can a password generator produce the same password twice?

Technically yes — randomness means any output is possible. But the odds are astronomically small. For a 16-character password with 95 possible characters per position, there are 95^16 possible combinations. Generating the same password twice is less likely than winning the lottery twice in a row.

Should I trust a browser extension password generator over a website?

Both can be safe if they use cryptographic randomness locally. The key difference is trust: a browser extension has access to every page you visit, while a website tool only runs on that page. A dedicated website like ours that runs entirely client-side with no server interaction is the safest option.

This article is general security education, not professional advice.