How it works

Client-side generation

The generator logic runs in your browser as JavaScript. In normal use, generated passwords are not uploaded to our application server as part of the generation flow, because the computation happens on your device.

This model reduces server-side exposure, but it does not eliminate all risks. Malware, compromised browsers, shoulder surfing, and untrusted networks remain relevant.

Randomness source

We use the browser's cryptographically secure pseudorandom number generator through the Web Crypto API (crypto.getRandomValues). This is the appropriate API for generating secrets compared to non-cryptographic sources like Math.random().

Character sets and constraints

You can tune length and which character classes are included. Some systems reject certain symbols or enforce maximum lengths; the generator is designed to help you meet common constraints while keeping randomness high.

Strength and entropy estimates

Strength meters typically estimate difficulty under simplified attacker models. Real attackers combine dictionary attacks, breach-derived credentials, and targeted guessing. Treat the meter as feedback, not a formal audit.

Local history and exports

If you use history features, entries may be stored in browser local storage. Exporting history creates a file on your device—only export if you understand where that file will be stored and who can access it.

Hosting, TLS, and integrity

When you load the site over HTTPS, transport encryption protects content in transit between your browser and the hosting provider. You should verify you are on the correct domain and that your browser shows a valid certificate.

Optional third-party scripts

Google AdSense loads on public pages. In production, Vercel Web Analytics also loads for aggregated traffic measurement. Google may show a CMP dialog in some regions. Those tools can introduce their own network requests and processing, as described in the Privacy policy.