Nonsense-free password generation routines
npm install passhelp
passhelp, or "the little password helper", is a tool and library to help you
generate secure and sane passwords.
passhelp ships pure JavaScript and TypeScript definitions. Its API is small:
``javascript
const passhelp = require('passhelp');
// generate a 3 word passphrase
passhelp.phrase(3); // "allergy site poise"
// include uppercase, special, and digit characters
passhelp.phrase(3, true); // "Stylish:question8splinter"
// use a custom separator character
passhelp.phrase(3, false, '/'); // "slouch/proceeds/rapture"
// traditional 12 character all-random passphrase
passhelp.character(12, passhelp.alphabets.full); // "tDnx1>^Q>:Z="
// 12 characters, but omit look-alikes
passhelp.character(12, passhelp.alphabets.full_friendly); // "2hUk#y?x\r~&"
// 8 character alphanumeric for those silly banks. ensure that
// it has 1 digit, 1 upper-case and 1 lower-case character
passhelp.character(8, passhelp.alphabets.alphanumeric, true); // "A2nJEH4o"
`
All generators return strings. Available alphabets for the character generator are:
* full: Upper/lower-case, numbers, and symbolsfull_friendly
* : Like full, but excluding look-alike characters (Il1O0|)alphanumeric
* : Upper/lower-case characters and numbers.alphanumeric_friendly
* : Like alphanumeric, but excluding look-alike characters.numeric
* : A string of digits.hex
* : Digits and the characters abcdef (lowercase).
The third option to the character generator determines whether the password is "exhaustive". If true (default false), it will ensure that the generated password has at least 1 character of every type in the given alphabet. This is to ensure that generated passwords will fulfill password requirements imposed by some organizations and websites.
In the browser: with WebCrypto, specifically with getRandomValues. In NodeJS: with crypto.randomBytes. These are fed into a function that generates numbers in a range. You can read the source for these in random/source.ts and random/index.ts.
There is a feature of the character generator that will optionally ensure that all character classes are met; this is to fulfill password requirements that various sites and organizations impose.
For example, you can generate an alphanumeric password that will always include at least one uppercase character, one lowercase character, and one digit. A truly random password would not guarantee this.
There is another feature that will exclude characters that look similar. This is to make it simpler when reading a password off of your phone to type in on your computer.
Neither of these features significantly reduce the entropy of your password. That said, the web generator clearly states when these features are in effect, and they are completely optional in the library.
It's popular to say that JavaScript and crypto don't go together, but the real answer is that it depends on the context. This tool is a single file, takes little external input (the URL hash), and makes no remote requests. The overall attack surface is quite small.
To load quickly, and so that you can save the single HTML file to your computer if you want. No need to save any extra resources.
The words were sourced from the excellent 12dicts package's 3esl` list. These were filtered through a small script to restrict words to 4-8 characters and to remove some potentially sensitive language.
In the end you have about 11.5k simple words, which is plenty for a passphrase.
Absolutely! This is published as an npm module if you'd like to use it directly. You may also simply copy the website itself; it's all one HTML file.
Please follow the terms of the MIT license.
You could, but I recommend just saving the HTML file and hosting it on your own servers. That way you don't have to worry about the URL changing, and your users don't have to worry about trusting a third-party website.
MIT.
Sure! This project is fairly young, so I haven't written up contribution guidelines yet. Feel free to submit an issue and/or contact me if you'd like to work on something.