Passwords don’t have to be truly random to work. Say you started a stopwatch, and every time you needed a character, you’d pause the timer and pick the number of milliseconds as the number of character to pick (so like 01 is a, 02 is b, etc. and continuing on for numbers and symbols). It’s explicitly nonrandom, but it appears *random enough* for online purposes. If someone were to try to guess your password, they’d have to know exactly how long it took you to start/stop the timer each time.

That’s pretty much how a lot of these password generators work (with some other internal stuff to make it even more difficult to figure out)–the data needed to backengineer a “random” password is so hard to come up with that it’s effectively the same as just guessing random characters.

Truly random numbers are not needed in most scenarios. In a lot of cases, it’s sufficient to just have numbers that take more effort to figure out how to generate them than it does to randomly guess them. If I picked a number right now that was the remainder when you divide the time I woke up this morning by 7, it would take just as much effort to try to figure out what times I could have plausibly woken up as it would to just guess 1-7.