Cryptographically random. Keep your data secure.
Randomness comes from crypto.getRandomValues() - the same CSPRNG used by
TLS. Nothing is sent to a server. This page generates and discards passwords entirely
in your browser; bitmods never sees them.
Most people's passwords are terrible. Not because they're lazy, because humans are genuinely bad at producing randomness. We pick things we'll remember, which means things we (and adversaries) can guess. Pattern recognition is a core human skill and a catastrophic password-choosing strategy.
A cryptographically secure generator pulls entropy from your operating system's randomness pool - the same source used to protect HTTPS connections. There's no pattern, no bias, no predictability. The output is what "random" actually means.
This generator uses crypto.getRandomValues(), available natively in every
modern browser. It does not use Math.random(), which is not cryptographically
secure and should never be used for security-sensitive values. The difference is not academic,
Math.random() outputs can sometimes be predicted from prior outputs.
12–24 characters from a full character set gives you enough entropy that brute-forcing is computationally infeasible at current hardware speeds.