Technical

How passwrd.in Creates Truly Random Passwords

7 min read • 2024-12-18

How passwrd.in Creates Truly Random Passwords

Hey there! So you're probably wondering - when you click that "Generate" button, what's actually happening? Let me take you on a journey through the tech that makes your passwords super secure.

The Problem with "Random"

Here's the thing - computers are actually terrible at being random. They're designed to be predictable, to do exactly what you tell them. So when we need randomness, we have to get creative.

Think about it like this: if I ask you to "pick a random number," you might say 7. But if you're like most people, you'll pick numbers between 1 and 10, and you'll probably avoid 1 and 10. Not very random, right?

Computers have the same problem, but worse. Without special tricks, they'll generate "random" numbers using mathematical formulas that are actually totally predictable if you know the starting point.

Our Secret Sauce: Multi-Layer Randomness

We don't mess around when it comes to randomness. Here's what happens when you generate a password:

Layer 1: Cryptographic Randomness (The Foundation)

First up, we use crypto.getRandomValues() - this is the browser's built-in cryptographic random number generator. It's the same tech that:

  • Protects your online banking
  • Secures your credit card transactions
  • Encrypts your messages

This function taps into your computer's hardware to find truly random data. It looks at things like electrical noise, timing variations in your CPU, and other physical phenomena that are genuinely unpredictable.

Layer 2: Browser Entropy (The Secret Ingredient)

But we don't stop there. We've built our own "entropy collector" that gathers randomness from your browser session. Here's what we track:

Your Mouse Movements

  • Where you move your cursor
  • The exact pixel positions
  • How many movements you've made

Nobody moves their mouse exactly the same way twice. Ever.

Network Timing

  • How long did your DNS lookup take?
  • Connection speed variations
  • Response time fluctuations

Network timing varies by milliseconds based on everything from server load to whether your neighbor started streaming Netflix.

System Characteristics

  • Screen resolution and pixel density
  • Number of CPU cores
  • Device memory
  • Your timezone offset
  • Current timestamp down to microseconds
  • Browser language and platform

The Magic Combination We take all these values, mix them together using a hash-like algorithm, and use that to add extra unpredictability to the cryptographic random numbers. It's like adding hot sauce to an already spicy dish - extra kick for extra security.

Why This Matters

Let's talk real numbers for a second. A truly random 20-character password using our default settings (uppercase, lowercase, numbers, symbols) has:

72^20 = 3,914,080,000,000,000,000,000,000,000,000,000,000 possible combinations

That's 3.9 undecillion possibilities. Even if someone had a supercomputer trying a billion passwords per second, it would take longer than the age of the universe to try them all.

But here's where the entropy comes in: without TRUE randomness, an attacker might be able to predict the next password you generate if they know the algorithm. With our multi-layer approach, that's impossible because:

  1. They'd need to know the exact state of your crypto random generator
  2. They'd need to know your exact mouse position at generation time
  3. They'd need to know your exact network timing
  4. They'd need to know all your system specs
  5. They'd need to know the exact microsecond you generated it

Good luck with that!

The Different Password Types

We offer different generators because different situations need different tools:

Random Passwords (The Tank)

  • Maximum security
  • Uses full entropy system
  • Best for: Banking, email, critical accounts

Memorable Passwords (The Friendly One)

  • Words you can actually remember
  • Still cryptographically random word selection
  • Best for: Accounts you log into manually

Passphrases (The Long Game)

  • Multiple random words
  • Length = strength (a 4-word passphrase is incredibly secure)
  • Best for: Master passwords, encryption keys

Domain Passwords (The Clever One)

  • Deterministic (same inputs = same password)
  • Uses SHA-256 hashing
  • Best for: When you can't use a password manager

What We DON'T Do

Just as important as what we do is what we DON'T do:

We don't store your passwords - Everything happens in your browser. When you close the tab, it's gone (unless you saved it to Quick Access, which is local browser storage only).

We don't send passwords anywhere - Not to our servers, not to analytics, nowhere. Zero network requests with your password data.

We don't use weak randomness - No Math.random(), no predictable algorithms. Only cryptographic-grade randomness.

We don't compromise on length - Our minimum is 8 characters, but we encourage 16-20+ for important accounts.

The Bottom Line

When you generate a password with passwrd.in, you're getting:

  1. Hardware-backed cryptographic randomness
  2. Enhanced with browser entropy from multiple sources
  3. Combined using secure algorithms
  4. Generated entirely in your browser
  5. Never sent anywhere or stored on our servers

It's like having a high-security vault that exists only in your browser, opens for a moment to give you a password, then vanishes without a trace.

Try It Out!

Head back to the homepage and watch what happens:

  1. Move your mouse around before generating
  2. Notice the password changes every time
  3. Check out the strength indicator - it'll show you exactly how secure your password is

Stay safe out there, and remember: the best password is one that's random, long, and unique to each account!

Ready to secure your accounts?

Generate a strong, memorable password now.

Generate Password Now →