Frequently Asked Questions
What is a Unicode password?
A Unicode password contains characters beyond standard ASCII letters, numbers, and punctuation — for example é, ñ, β, or 😀. Expanding the character set increases the number of possible passwords and makes shorter passwords harder to guess.
Can emojis make passwords stronger?
Yes. Emoji characters add thousands of possible symbols to the character space, which increases entropy per character. A short emoji-inclusive password can be mathematically stronger than a longer letter-only password — as long as the target website accepts Unicode and emojis.
Do all websites accept Unicode or emoji passwords?
No. Many websites and password fields reject Unicode or emoji characters. Test the password on the target site before committing. If it is rejected, use the Legacy Site preset, which produces passwords with letters, numbers, and symbols only.
Why can a shorter Unicode password be stronger than a longer simple password?
Password strength scales with both length and the size of the character set. A longer character set means each position carries more possible values. Eight characters drawn from a pool of ten thousand Unicode codepoints can outperform twenty characters drawn from a pool of twenty-six lowercase letters.
Are passwords stored or sent anywhere?
No. Passwords are generated cryptographically in your browser using the Web Crypto API for secure randomness. Nothing is stored, logged, or transmitted to any server. Close the tab and the password is gone — save it in a password manager before you navigate away.
Technical overview
This password generator prioritizes two security goals: strong randomness and local-only generation. Passwords are created in the user's browser using cryptographic randomness. They are never generated on a server, stored by the site, or transmitted during the process.
Local-only password generation
All password generation occurs client-side in the browser. When users adjust length, character sets, presets, or passphrase mode, the page generates the password locally and displays it in the password field.
The site does not require the generated password to function. There is no backend password-generation request, account login, or password storage. Once the page is closed or refreshed, the password is lost unless the user has copied or saved it.
This approach ensures users do not need to trust a remote server with their generated passwords.
Cryptographic randomness
The generator uses the browser's Web Crypto API via crypto.getRandomValues(), which is the recommended method for generating cryptographically secure random values.
It does not use Math.random(), as that method is not designed for cryptographic security and is unsuitable for password generation.
If the secure random generator is unavailable or fails, the generator stops rather than using weaker randomness. This fail-closed approach ensures that no password is generated if security cannot be guaranteed.
Uniform character selection
Random numbers are converted into character choices using rejection sampling to prevent modulo bias.
A naive generator might use a random number modulo the character pool size, which can make some characters more likely if the range does not divide evenly.
This generator discards random values outside the largest evenly divisible range, resulting in a more uniform character distribution.
Character pool security
The password space is constructed from enabled character sets, including letters, numbers, symbols, Unicode, and emoji ranges. A larger pool increases possible values per position and raises entropy.
For Unicode and emoji passwords, the generator selects from predefined code point ranges instead of a small hardcoded list. This expands the search space while maintaining deterministic structure and random selection.
When "avoid similar characters" is enabled, visually similar ASCII characters such as 0, O, o, 1, I, and l are removed. This improves usability but reduces the character pool, so the entropy estimate adjusts accordingly.
The generator uses a two-step selection algorithm: it first picks a character type uniformly from the enabled pools, then picks a character within that type. This ensures each enabled category — letters, numbers, symbols, Unicode, emoji — is represented independently of pool size.
Entropy and strength estimates
The strength display estimates entropy based on the selected password length and the size of the enabled character set:
entropy = length × log₂(character pool size)
Entropy measures the size of the guessing space. Higher entropy means attackers have more possible passwords to search.
For passphrases, entropy is calculated using the number of selected words and the wordlist size:
entropy = word count × log₂(wordlist size)
The crack-time estimates use the calculated entropy and compare it with fixed guessing rates. These values are for comparison only and are not guarantees. Real-world resistance also depends on the service's rate limits, hashing algorithm, breach history, and password reuse.
Password privacy
The generated password is not logged or sent to a server by the generator. It exists on the browser page and, if copied, in the user's clipboard.
There are two practical privacy boundaries to consider. First, after copying, the clipboard is no longer under the page's control — users should promptly paste the password into a password manager or into a form. Second, the site may load external resources such as fonts or ads, but password generation occurs locally and those resources do not have access to the generated password.
Security model
The generator is most secure when used on a trusted device, in a browser that supports the Web Crypto API, and over a secure connection. Its core security properties include:
- Strong randomness from
crypto.getRandomValues()
- No fallback to weak randomness
- Bias-resistant character selection
- Client-side generation
- No server-side password creation
- No intentional password storage or transmission
- Entropy estimates based on the active character pool