Because humans are terrible at creating secure passwords. This famous xkcd comic got it right - humans have been trained to use passwords that are hard to remember, but easy for computers to guess.

On the other hand, passphrases are easy to remember, but very difficult to crack. Let's say you use an EFF Long List to generate a 6 word passphrase. Even assuming the attacker knows the exact wordlist and number of words you used, there's still 7776^6 possible combinations for the attacker to try out. That's 221073919720733357899776 possible combinations. Even if the attacker could try 1 trillion combinations per second, it would take him millions of years to try all the possible combinations. That's what makes passphrases so secure and powerful.

It depends. Are you the target of a nation-state level adversary? If so, you should probably not use this and should instead use Diceware to roll real physical dice and look up the words from the wordlist manually. This is the official recommendation of the original Diceware FAQ. As a regular person, even if you have high security needs like protecting long term cryptographic keys, you should be safe using this tool. Using real precision dice is the most secure way, but relying on the random number generator should be safe as well.

JavaScript window.crypto.getRandomValues() CSPRNG that ships with modern browsers to get random bytes is used. Many cryptographic library authors are now targeting the browser environment and most are using this API as their primary source of entropy, so you are in good company.

To ensure Web Crypto API compatibility across Node.js, Browsers and other runtimes, unjs/uncrypto is used.

Implementation by @Sc00bz on r/crypto.

import { getRandomValues } from 'uncrypto'

function secureRandom(count: number) {
  const rand = new Uint32Array(1)
  const skip = 0x7FFFFFFF - 0x7FFFFFFF % count
  let result

  if (((count - 1) & count) === 0) {
    getRandomValues(rand)
    return rand[0] & (count - 1)
  }
  do {
    getRandomValues(rand)
    result = rand[0] & 0x7FFFFFFF
  } while (result >= skip)
  return result % count
}