๐Ÿ‹
peasy / math
Menu
Todas as ferramentas Guias 15 Glossรกrio 48 Formatos de arquivo 131 Casos de uso 302 API

Categories

P pdf I image D document T text D developer C css D design V video A audio Q qr S seo S security S social M math G generator
๐Ÿ‹ peasytools.com
Best Practice Beginner 1 min read 244 words

Secure Password Generation: Algorithms and Best Practices

Explore the cryptographic random number generators behind secure password creation. Learn why Math.random() is never sufficient, how CSPRNG works, and the best practices for generating passwords in the browser.

Key Takeaways

  • JavaScript's `Math.random()` uses a pseudorandom number generator (PRNG) that is fast but predictable.
  • The Web Crypto API provides `crypto.getRandomValues()`, which draws from the operating system's entropy pool.
  • Always use `crypto.getRandomValues()` or equivalent CSPRNG
Featured Tool

Password Generator

Generate strong, random passwords

Try it Free

Why Math.random() Is Dangerous

JavaScript's Math.random() uses a pseudorandom number generator (PRNG) that is fast but predictable. Its internal state can be recovered from a small number of observed outputs, allowing an attacker to predict future values. Never use Math.random() for security-sensitive operations like password or token generation.

Cryptographically Secure Alternatives

The Web Crypto API provides crypto.getRandomValues(), which draws from the operating system's entropy pool. On Linux this reads from /dev/urandom, on Windows from BCryptGenRandom, and on macOS from SecRandomCopyBytes. These sources collect entropy from hardware events โ€” disk timing, mouse movements, and interrupt timing.

Password Generation Strategies

Strategy Entropy (typical) Memorability Example
Random characters (16) ~105 bits Very low kX9#mP2$vL7@nQ4&
Diceware (5 words) ~64 bits High table-crane-amber-frost-violin
Diceware (7 words) ~90 bits Medium longer phrase
Pronounceable (16) ~60 bits Medium boquimaletopusan

Best Practices

  • Always use crypto.getRandomValues() or equivalent CSPRNG
  • Generate passwords of at least 16 characters or 5+ diceware words
  • Include characters from multiple Unicode categories when possible
  • Never truncate or modify generated passwords โ€” it reduces entropy
  • Store generated passwords in a password manager immediately

The Peasy password generator uses the Web Crypto API to create passwords entirely in your browser โ€” no server communication, no logging, no storage.