How Password Generators Work (And Why You Can't Do It Yourself)

Updated March 2026 · A look under the hood of password.dog

You've probably tried to make up a "random" password by mashing your keyboard or picking letters out of thin air. Here's the problem: your brain doesn't do random. Decades of research in cognitive science have shown that humans are remarkably bad at generating random sequences. We unconsciously favor certain letters, avoid repeating characters, and gravitate toward patterns we've seen before.

Attackers know this. AI-powered cracking tools are trained on millions of human-created passwords and can predict the patterns we think are random. This is exactly why password generators exist — to produce passwords that have genuinely no patterns to exploit.

How password.dog Generates Your Password

1
Build the character pool

Based on your settings (uppercase, lowercase, numbers, symbols), the generator assembles the set of characters it can pick from. With all four enabled, that's 26 + 26 + 10 + 32 = 94 possible characters per position.

2
Request cryptographic random numbers

The generator calls crypto.getRandomValues() — the Web Crypto API built into your browser. This draws randomness from your operating system's entropy pool, which collects unpredictable data from hardware events like mouse movements, keystroke timing, and disk I/O. This is not the same as Math.random(), which is predictable.

3
Map random numbers to characters

Each random number is mapped to a character in the pool. For a 20-character password, 20 random numbers are generated and converted to 20 characters. Each character is independently selected — no position influences any other.

4
Guarantee character type coverage

To ensure the password meets common site requirements, the generator verifies that at least one character from each enabled type is present. If a type is missing, one position is replaced with a randomly selected character from that type.

The entire process happens in your browser. No password is ever sent to a server. There's no network request, no logging, no storage. The password exists only in your browser's memory until you copy it or navigate away.

What the Code Actually Looks Like

Here's the core logic, simplified. This is essentially what runs when you click the dog:

// Generate an array of cryptographically random numbers
const array = new Uint32Array(length);
crypto.getRandomValues(array);

// Map each random number to a character from the pool
let password = Array.from(array,
  (n) => chars[n % chars.length]
).join('');

crypto.getRandomValues() is the critical piece. It's provided by the browser and backed by the operating system's cryptographic random number generator — the same source of randomness used for TLS encryption, SSH keys, and other security-critical operations.

Why Math.random() Is Not Enough

Math.random()

Pseudorandom — uses a mathematical formula seeded by a predictable value.

Output can be predicted if the seed is known.

Same seed produces same sequence every time.

Not designed for security. Fine for games, animations, and shuffling playlists.

crypto.getRandomValues()

Cryptographically secure — draws from OS entropy pool (hardware noise, timing jitter).

Output cannot be predicted even with full knowledge of previous outputs.

Each call produces genuinely independent random numbers.

Designed for security. Used for encryption keys, tokens, and password generation.

Any password generator that uses Math.random() instead of the Web Crypto API is a red flag. The passwords it creates may look random but are technically predictable — which defeats the entire purpose.

How to check any generator: Open your browser's developer tools (F12), go to the Network tab, and generate a password. If you see any network requests being made during generation, the password is being sent to a server. A properly built generator makes zero network calls. password.dog works entirely offline once the page loads.

Why Your Brain Can't Do This

In studies on human-generated randomness, people consistently produce sequences with detectable patterns. We avoid repeating characters even though true randomness includes repeats. We unconsciously favor certain positions on the keyboard. We pick characters that "feel" random rather than characters that are statistically independent.

An AI trained on human-created "random" passwords can predict the next character with accuracy significantly above chance. Against a true cryptographic random output, that same AI performs no better than blind guessing — because there is literally no pattern to learn.

This is the fundamental value of a password generator: it removes the human element that makes passwords predictable. The result is a password where the only attack available is exhaustive brute force — trying every possible combination. And as the crack time table shows, brute force against a long random password is a losing game.

See it in action. All the randomness, none of the effort.

Click the Dog →

What to Look for in a Password Generator

Client-side generation. The password should be created in your browser, not on a server. If a generator needs to make a network request to produce a password, your password is being transmitted — and potentially logged.

Web Crypto API. The generator should use crypto.getRandomValues() or equivalent. Anything built on Math.random() is not secure.

Configurable length and character types. Different sites have different requirements (some don't allow certain symbols, some have maximum lengths). A good generator lets you adjust these.

No account required. A password generator doesn't need your email, your name, or any personal information. If it asks for these, it's collecting data, not generating passwords.

FAQ

Are online password generators safe?

A well-built one that runs entirely in your browser is safe. Look for: the Web Crypto API (crypto.getRandomValues), client-side generation (no network requests during generation), and no account requirements. password.dog meets all three — passwords are generated locally and never leave your browser.

What is crypto.getRandomValues?

It's the Web Crypto API method that browsers provide for generating cryptographically secure random numbers. It draws randomness from your operating system's entropy pool — unpredictable data harvested from hardware events. This is the same source of randomness that protects your bank's website via TLS encryption.

Can a password generator be hacked?

If it runs entirely in your browser with the Web Crypto API, there's no server-side component to hack. No passwords are transmitted, stored, or logged. The security rests on the cryptographic random number generator built into your browser and operating system, which is extensively tested and audited.

Is a password manager's built-in generator better than a standalone one?

Both use the same underlying cryptographic random number generators and produce equally secure passwords. The advantage of a password manager's generator is convenience — the password goes directly into your vault. The advantage of a standalone generator like password.dog is that it works without an account and lets you verify it's client-side.

Protect yourself beyond passwords: Use a password manager to store unique passwords for every account, and a VPN to encrypt your connection on public networks.

Related: How Long to Crack Your Password? · What Makes a Strong Password? · Best Password Managers in 2026