How InstantPassGen Works
InstantPassGen generates passwords entirely in your browser using cryptographically secure randomness. No data ever leaves your device.
Local generation
Every password is created on your device using your browser's built-in
crypto.getRandomValues() API — the same standard used by operating systems
and hardware security modules. Nothing is sent to a server. There is no backend.
Why this matters
A generator that sends your password to a server — even just to "rate" it — means that password has already left your device. InstantPassGen never does this.
Cryptographically secure randomness
crypto.getRandomValues() produces unpredictable, uniformly distributed
random bytes seeded by the OS entropy pool (hardware events, timing noise, etc.).
It is fundamentally different from Math.random(), which is a pseudorandom
number generator unsuitable for security purposes.
No modulo bias
Mapping random bytes to a character pool naïvely (e.g. byte % poolSize)
introduces statistical bias when the pool size doesn't evenly divide 256.
InstantPassGen uses rejection sampling: any byte that would cause bias is discarded
and a new one drawn.
Fisher-Yates shuffle
After sampling, characters are shuffled using the Fisher-Yates algorithm driven by the same secure source. This ensures no positional patterns survive generation.
Entropy estimate
Entropy (measured in bits) quantifies how many guesses a brute-force attacker needs. Each extra bit doubles the search space. InstantPassGen calculates Shannon entropy as:
bits = log₂(poolSize) × length For example, a 16-character password using all character types (94-character pool) has log₂(94) × 16 ≈ 104 bits of entropy.
Practical thresholds
40 bits — cracked in seconds by modern hardware · 60 bits — years on a dedicated rig · 80 bits — infeasible today · 128 bits — computationally impossible
Strength rating
The 5-segment strength bar is powered by zxcvbn-ts, a password strength estimator that analyses real-world attack patterns — dictionary words, keyboard walks, dates, repeated characters, and common substitutions.
Raw entropy alone doesn't capture weakness: aaaaaaaaaaaaaaaa has a large
character pool but is instantly guessable. zxcvbn catches these patterns and rates
accordingly. InstantPassGen combines both signals.
Crack time estimate
The time shown assumes offline, slow-hash brute force (e.g. bcrypt at 10k guesses/sec). Online attacks are far slower due to rate-limiting.
Passphrase generation
Passphrases use the EFF long wordlist — 7,776 carefully chosen words (equivalent to 5 dice rolls). Each word contributes approximately 12.9 bits of entropy. A 5-word passphrase gives ~64 bits; a 7-word passphrase gives ~90 bits.
Why passphrases?
Easier to memorise than random character strings while remaining resistant to brute force. The EFF list avoids offensive words and homophones that cause confusion when spoken aloud or written down.
Privacy & storage
By default, InstantPassGen stores nothing. No passwords are logged, saved, or
transmitted. The only persistent data is your theme preference
(localStorage).
The site has no analytics, no tracking scripts, and no cookies beyond what the browser sets for the Google Fonts cache.
Open to inspect
All generation logic runs in plain JavaScript visible in your browser's developer tools. The source is straightforward and auditable.