Password entropy is the mathematical measure of a password's unpredictability, expressed in bits. Each bit of entropy doubles the number of possible combinations an attacker must try. The formula for calculating entropy is log2(C^L), where C is the size of the character set and L is the password length. A password using only lowercase letters (26 characters) has approximately 4.7 bits of entropy per character, while adding uppercase letters, digits, and symbols expands the set to 95 printable ASCII characters, yielding about 6.6 bits per character. A 16-character password drawn from the full ASCII set provides roughly 105 bits of entropy, which is considered practically uncrackable by current and foreseeable computing capabilities.

The security of password generation depends critically on the quality of randomness used. Cryptographically Secure Pseudo-Random Number Generators (CSPRNGs) are specifically designed to produce output that is computationally indistinguishable from true randomness. In web browsers, the Web Crypto API (window.crypto.getRandomValues) provides CSPRNG functionality backed by the operating system's entropy sources, including hardware random number generators, interrupt timing, and other unpredictable physical phenomena. Standard Math.random() in JavaScript is explicitly not cryptographically secure because its output is deterministic and predictable given the seed, making it fundamentally unsuitable for security-sensitive applications like password generation.

Password cracking methods have evolved significantly and understanding them is essential for appreciating what makes a password strong. Brute force attacks systematically try every possible combination and are limited by the password's entropy. Dictionary attacks use lists of common words, phrases, and previously leaked passwords, making passwords based on real words vulnerable regardless of their length. Rule-based attacks apply transformations to dictionary words, such as substituting letters with numbers (e.g., "p@ssw0rd"), appending digits, or capitalizing certain letters. Rainbow table attacks use precomputed hash chains to reverse password hashes quickly but are defeated by proper salting. Modern GPU clusters can test billions of password candidates per second against common hash algorithms.

The relationship between password length and character set diversity creates an important design trade-off. A 20-character password using only lowercase letters provides approximately 94 bits of entropy, while a 12-character password using the full 95-character ASCII set provides approximately 79 bits. Length generally contributes more to security than character complexity, which is why modern security guidance from NIST (Special Publication 800-63B) emphasizes password length over complexity requirements. Passphrases composed of random words can achieve high entropy while remaining memorable, with four randomly selected words from a 7,776-word list (as in Diceware) providing approximately 51 bits of entropy.