To address frequent website password breaches, this paper proposes a cryptographically secure password generation scheme based on a Cryptographically Secure Pseudorandom Number Generator (CSPRNG). Methodologically, it innovatively integrates three Message Authentication Code (MAC) algorithms—HMAC, CMAC, and KMAC—to construct the CSPRNG, and rigorously evaluates entropy and independence using NIST SP 800-90B’s entropy estimation and IID (independent and identically distributed) validation procedures. This ensures generated passwords exhibit high entropy and statistical unpredictability. Experimental results confirm strict compliance with NIST’s minimum entropy requirement (≥1 bit/byte) and IID criteria, thereby significantly enhancing resistance against brute-force attacks and machine learning–based password prediction. The work establishes a verifiable, standardized, and practically deployable security paradigm for user-side autonomous password generation.

In recent years, numerous incidents involving the leakage of website accounts and text passwords (referred to as passwords) have raised significant concerns regarding the potential exposure of personal information. These events underscore the critical importance of both information security and password protection. While many of these breaches are attributable to vulnerabilities within website infrastructure, the strength and security of the passwords themselves also play a crucial role. Consequently, the creation of secure passwords constitutes a fundamental aspect of enhancing overall system security and protecting personal data. In response to these challenges, this study presents a secure password generation approach utilizing a cryptographically secure Pseudo-Random Number Generator (PRNG). The generator is implemented using a range of Message Authentication Code (MAC) algorithms, including the Keyed-Hash Message Authentication Code (HMAC), Cipher-based Message Authentication Code (CMAC), and KECCAK Message Authentication Code (KMAC), to produce robust random values suitable for password generation. To evaluate the proposed method, empirical assessments were conducted in accordance with the guidelines provided in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-90B. The evaluation focused on two primary aspects: entropy estimation and verification of independent and identically distributed (IID) properties. Experimental results indicate that the proposed method satisfies both entropy and IID requirements, thereby demonstrating its ability to generate passwords with a high degree of randomness and security.