Offline-Passwortgeneratoren: Funktionsweise und Prüfpunkte

Random versus deterministic generators

A random generator uses a cryptographically secure random source to create a new password. The output should be saved somewhere because it cannot be recreated from memory. A deterministic generator derives an output from stable inputs, so the same inputs can reproduce it later.

Both can operate offline. The difference is not internet access; it is whether the output depends on randomness or on a repeatable derivation process.

What “runs locally in your browser” means

A browser-based tool can execute JavaScript on the device without sending the entered phrase to a server. However, the page itself still has to be delivered somehow, and malicious or compromised code could read inputs. Trust depends on the code, delivery path, browser, extensions, and device.

For stronger assurance, advanced users can inspect source code, verify a downloaded copy, and run it offline. Public test vectors help confirm that different implementations produce expected outputs.

How random generators obtain entropy

Secure browser generators should use the Web Crypto API rather than predictable functions such as Math.random(). The random bytes are mapped into an allowed character set or used to select words from a sufficiently large list.

A generated password is only helpful if it is stored accurately. Copying it into an unencrypted note defeats the benefit of strong randomness.

How deterministic generation works

A deterministic system combines a master phrase with account-specific information such as a label. A key-derivation function such as Argon2id makes password guessing more expensive. The derived material is then formatted into a username or password that meets defined rules.

Exact normalization matters. Differences in capitalization, spaces, punctuation, label spelling, PIN, or algorithm version can produce a completely different result.

What to check before trusting a tool

• Does it clearly state whether data leaves the device?
• Is the source code or technical specification available?
• Does it use Web Crypto or a well-reviewed cryptographic library?
• Are algorithm versions documented?
• Are test vectors published?
• Does the tool explain recovery limits and threat boundaries?

Edge cases users often miss

Websites sometimes restrict password length or allowed characters. Forced password changes require a version strategy. Unicode characters can be normalized differently. Browser extensions or malware can capture inputs. Clipboard history can retain copied passwords. Offline operation reduces network dependence but does not make an infected device safe.

Summary

Offline generators can be valuable, but “offline” is not a complete security claim. Random generators need safe storage; deterministic generators need exact reproducibility. Evaluate the code, cryptographic design, device security, recovery model, and versioning process together.