Passwort-Generator

No — generated passwords are never sent anywhere, logged, or recorded. Password generation runs entirely within your browser using the Web Crypto API's crypto.getRandomValues function, which is the same cryptographically secure pseudorandom number generator (CSPRNG) used by browsers for TLS key generation and other security-critical operations. This function draws entropy directly from the operating system's secure entropy pool — on Windows from BCryptGenRandom, on macOS and Linux from /dev/urandom — ensuring the output is unpredictable even to the browser itself. No network request is made during generation: you can verify this by opening your browser's developer tools, navigating to the Network tab, and generating several passwords — you will see zero outbound requests. The generated password string never leaves your browser's JavaScript execution context except through your own clipboard copy or manual selection. WikiPlus does not run any analytics or telemetry that captures field values, and the page contains no keystroke loggers. All processing happens client-side by design. Even if you generate a thousand passwords in a single session, none of them are stored, indexed, or associated with your IP address or browser fingerprint on WikiPlus's side. Practical tip: once you have generated a password you want to use, copy it directly into a password manager such as Bitwarden, 1Password, or KeePass rather than typing it manually into a login form — this avoids keystroke logging by any browser extensions or OS-level accessibility tools that might be running.

Current security guidance from NIST SP 800-63B (updated 2024) and most major cybersecurity organizations recommends a minimum of 16 characters for general-purpose passwords, with 20 or more characters being advisable for high-value accounts such as email, banking, and primary password manager vaults. The reasoning is computational: modern GPU clusters can attempt tens of billions of guesses per second against leaked bcrypt or Argon2 hashes. A 12-character random password drawn from a pool of 94 printable ASCII characters has about 79 bits of entropy, which is feasible to crack with dedicated hardware given years of compute time. A 20-character password from the same pool yields roughly 131 bits of entropy, placing it far beyond any realistic brute-force attack even with future hardware improvements and quantum computing advances in the near term. Length matters more than complexity: a 20-character lowercase string is stronger than a 12-character string mixing upper, lower, digits, and symbols. That said, combining length with character diversity is still best practice because it guards against attacks that exploit predictable patterns in longer passwords. The generator uses crypto.getRandomValues to ensure genuine randomness — no data leaves your device. Practical tip: use the maximum length your target service will accept — many sites cap passwords at 64 or 128 characters, and you should fill as much of that budget as possible, especially for accounts you access infrequently where you will always paste from a password manager anyway.

Including symbols increases the size of the character pool your password is drawn from, which raises entropy — but whether you should always include them depends on the target service's constraints and your usage context. A password drawn from 94 printable ASCII characters (26 lowercase + 26 uppercase + 10 digits + 32 symbols) provides about 6.55 bits of entropy per character, versus about 5.95 bits per character from an alphanumeric-only set of 62. The difference per character is modest, but across a 20-character password it adds roughly 12 bits — the equivalent of two extra random alphanumeric characters. However, many services and systems have inconsistent symbol support: some reject specific characters like single quotes, angle brackets, or backslashes because they conflict with SQL, XML, shell escaping, or form validation rules, potentially causing login failures or security issues. SSH config files, .htpasswd entries, and some legacy enterprise systems have similarly narrow allowed-character sets. For accounts you access through a password manager where you always paste and never type, maximum symbol inclusion is fine. For passwords you occasionally type manually — a Wi-Fi passphrase or a computer login — you might prefer to omit symbols or restrict them to a short, easily typed subset. No data leaves your device during generation. Practical tip: if a site rejects your generated password, try regenerating with only the symbol subset of ! @ # $ % ^ & *, which is accepted by the vast majority of web applications without triggering input validation errors.

Yes — the generator includes a passphrase mode that produces sequences of random common words separated by a delimiter of your choice, following the diceware approach first described by Arnold Reinhold in 1995. A passphrase like "violet-cloud-hammer-seven" is far easier to memorize and type than "kT#9mPqW!2xR" while providing comparable or greater entropy depending on word list size and passphrase length. The entropy of a diceware passphrase is determined by the size of the word list: with a 7,776-word list (the standard diceware size, based on five dice rolls), each word contributes about 12.9 bits of entropy. Four words give roughly 51 bits, five words give about 64 bits, and six words reach 77 bits — sufficient for most purposes. For high-security accounts, seven or more words is advisable. The word selection uses crypto.getRandomValues to draw cryptographically secure random indices into the word list, ensuring no predictability. The entire process runs in your browser — no data leaves your device. Passphrases are especially valuable for the master password of your password manager, computer login passwords, and any credential you must occasionally type from memory. They are also more resilient to shoulder surfing because the words are memorable enough that you can look away from the screen after each one. Practical tip: add a random number or symbol between two of the words — for example "violet-cloud7-hammer-nine" — to satisfy services that require mixed character types without compromising the memorability of the overall passphrase.