JavaScript Executes in Your Browser, Not on Servers
When you use a browser-based password generator, the JavaScript code is downloaded once to your browser and then executes entirely locally. There is no ongoing communication with any server after the page loads — the site can't see what's happening inside your browser's execution environment.
The Crypto API Is Local by Design
The window.crypto.getRandomValues() call is a browser API, not a server call. Your computer generates the random numbers using its own hardware entropy, and the result never leaves your device. No network request is made, no data is transmitted.
How to Verify Any Generator
You can confirm a password generator's behavior in seconds: open browser developer tools (F12), go to the Network tab, then generate a password. If no network requests appear, nothing is being transmitted. You can also inspect the Sources tab to read the JavaScript directly.
Choosing Trustworthy Generators
The best indicators of a trustworthy generator are open-source code, a clear privacy statement, no third-party scripts that could intercept page contents, and a network check that shows no outbound requests during generation.
Browser-based password generators that use the Web Crypto API are fundamentally private — your passwords are generated locally and never transmitted anywhere. Verify this yourself with browser developer tools.