How Password Generators Work:
Entropy & Randomness
Unpredictability is Key
A good password isn't just "complex" with symbols; it needs high entropy (randomness). Computers generate randomness using physical noise or mathematical formulas. A password like Tr0ub4dor&3 is actually easier to crack than correct horse battery staple because length beats complexity.
# In this article
1. What is Entropy?
In cryptography, entropy is a measure of unpredictability or "randomness" in a password. It's usually measured in bits.
Think of it like this: If your password is "password123", the entropy is very low because it's a common pattern. A hacker's computer can guess it instantly.
Formula: Entropy = L * log2(R)
Where L is the password length and R is the number of possible characters (pool size). increasing Length (L) has a massive impact on security.
2. True vs Pseudo Random
Computers run on logic, so they are naturally bad at being random. To generate a secure password, we need a source of randomness.
PRNG (Pseudo-Random)
Math.random()
Uses a mathematical formula. If you know the "seed" (starting number), you can predict every future number. Fast, but unsafe for passwords.
CSPRNG (Crypto Secure)
crypto.getRandomValues()
Uses unpredictable events like mouse movements, keystrokes, or thermal noise from the hardware. Used for passwords.
3. The XKCD Method
A famous comic by XKCD pointed out a flaw in how we think about passwords. We often encourage "complexity" (weird symbols) over "length".
~28 bits of entropy.
Hard for humans, easy for computers.
~44 bits of entropy.
Easy for humans, hard for computers.
Combining 4 random common words creates a passphrase that is mathematically harder to guess than a short, gibberish password.
4. Why Humans Fail at Randomness
If asked to pick a "random" number between 1 and 10, most humans pick 7. If asked to pick a random key on a keyboard, we pick keys in the middle (f, g, j, h).
We have subconscious biases. We avoid repeating characters, or we pick patterns like "1212". That's why you should never trust your brain to create a password. Always use a tool.