What Is a Cryptographically Secure Password?
A cryptographically secure password is one generated with a cryptographically secure random number generator (CSPRNG). This means the randomness is unpredictable and cannot be derived from previous outputs. Most websites and apps generate passwords using predictable pseudo-random methods like Math.random(), which may look random but have predictable seeds. PassCraft uses the Web Crypto API's getRandomValues() — a true CSPRNG that relies on your operating system's entropy source. The difference between pseudo-random and cryptographically secure is the difference between good security and unbreakable security.
Password Generator — 8 to 12 Characters
Generate cryptographically secure passwords from 8 to 12 characters instantly. Choose your length, character set, and quantity. Powered by the Web Crypto API — your passwords never leave your browser.
Estimated crack time:—
Generate a Secure Password — Choose Your Length (8–12 Characters)
Characters
Advanced
Exclude Characters
Password Stats
Bulk Generate
PassCraft generates passwords from 8 to 12 characters using your browser's Web Crypto API — the same cryptographic standard used by banks and security software. No data is ever sent to a server.
Frequently Asked Questions
How many characters should my password be?
Security experts recommend 8 characters as the minimum, with 12 characters or more for important accounts. PassCraft lets you generate passwords from 8 to 12 characters (or any length you choose) in seconds.
Is an online password generator safe to use?
PassCraft is safe because it runs entirely in your browser using the Web Crypto API. Unlike other tools, your passwords are generated locally and never transmitted, stored, or logged on any server.
What's the difference between an 8-character and 12-character password?
A 12-character random password is approximately 500,000 times stronger than an 8-character one due to the exponential increase in possible combinations. For most accounts today, 12 characters is the recommended minimum.
Math.random() vs Web Crypto API
| Feature | Math.random() | Web Crypto API |
|---|---|---|
| Predictability | Predictable seed | True entropy |
| Source | Algorithm | OS entropy pool |
| Safe for passwords | No | Yes |
| Suitable uses | Games, animations | Passwords, tokens |
How PassCraft Uses the Web Crypto API
PassCraft calls window.crypto.getRandomValues() to generate each password character. This method returns cryptographically random bytes from your operating system's entropy source. Unlike algorithms that can be replicated, there's no "seed" to predict. Each call produces genuinely random values suitable for security-critical applications.
Frequently Asked Questions
What is the Web Crypto API?
The Web Crypto API is a browser-native cryptographic interface. Its getRandomValues() method generates truly random numbers using the operating system's entropy source — not a predictable algorithm.
Why is Math.random() unsafe for passwords?
Math.random() is a pseudo-random number generator seeded with predictable values. An attacker who knows the seed can predict all outputs. The Web Crypto API has no predictable seed.
Does every browser support the Web Crypto API?
Yes. Web Crypto API is supported in all modern browsers — Chrome, Firefox, Safari, Edge — and has been since 2015. PassCraft uses it on every password generation.