What Makes a Random Number Generator Cryptographic?
A regular random number generator uses a mathematical algorithm seeded with a simple value like the current time. Given the same seed, it produces identical output — making it predictable and unsuitable for security. A cryptographically secure PRNG seeds from true entropy sources — hardware noise, timing variations, mouse movements — and is designed to be computationally infeasible to predict.
How the Web Crypto API Works
window.crypto.getRandomValues() is a standard Web API available in all modern browsers. It fills a typed array with cryptographically secure random bytes generated by the operating system's entropy pool. The browser simply exposes this system-level randomness through a JavaScript-accessible interface.
Why Local Generation Matters for Privacy
Because password generation happens entirely in your browser using local entropy, nothing about your password is ever transmitted to any server. The generator has no network access requirement. Even the developer of the website has no way to see what password was generated — fundamentally different from server-side generators.
Verifying Browser-Based Generators Are Trustworthy
Open-source browser-based generators can have their source code independently verified. You can inspect the JavaScript directly in browser developer tools to confirm it's calling crypto.getRandomValues() and not sending anything to a remote server. This transparency is why privacy-conscious users prefer local browser generators.
The Web Crypto API provides military-grade randomness entirely within your browser. Browser-based password generators built on this API are both secure and completely private — your passwords never leave your device.