Skip to main content

Overview

The password generator creates cryptographically secure passwords using the Web Crypto API. It supports four complexity levels, a memorable password mode with word-based generation, and entropy-based strength estimation. When generating passwords during automated resets, the generator respects service-specific constraints from the service registry.

Complexity levels

LevelLengthLowercaseUppercaseNumbersSymbols
low8YesNoYesNo
medium12YesYesYesNo
high16YesYesYesYes
memorableVariable
The memorable complexity level uses word-based generation instead of character-based generation. See the memorable passwords section below.

Character sets

SetCharacters
Lowercaseabcdefghijklmnopqrstuvwxyz
UppercaseABCDEFGHIJKLMNOPQRSTUVWXYZ
Numbers0123456789
Symbols!@#$%^&*()_+-=<>?
If no character types are enabled (edge case with custom options), the generator falls back to lowercase characters.

Cryptographic randomness

Password generation uses crypto.getRandomValues() with rejection sampling to eliminate modulo bias: 
function secureRandomInt(max: number): number {
  const array = new Uint32Array(1)
  crypto.getRandomValues(array)
  const limit = Math.floor(0xFFFFFFFF / max) * max
  let value = array[0]
  while (value >= limit) {
    crypto.getRandomValues(array)
    value = array[0]
  }
  return value % max
}
A naive randomValue % max approach produces biased results when max does not evenly divide the range of possible values (0 to 2^32 - 1). Some remainders would appear more frequently than others. Rejection sampling discards values that fall in the biased range and re-rolls, ensuring each output in [0, max) is equally likely.

Memorable passwords

The memorable mode generates human-readable passwords by combining random words with a separator and a numeric suffix. Format: Word1<sep>Word2<sep>Word3<sep>NNN
ParameterValue
Word count2 to 6 (default: 3)
Word pool40 common English words (nouns, adjectives, animals)
Separators-, ., _, + (randomly selected)
Numeric suffix3-digit number (100-999)
CapitalizationFirst letter of each word
Example outputs:
  • Tiger-Ocean-Brave-742
  • Cherry.Valley.Smart.319
  • Panda_Forest_Happy_856
Consecutive duplicate words are re-rolled to avoid patterns like Ocean-Ocean-River.

Entropy estimation

The estimateCrackTime() function estimates how long a password would take to brute-force, assuming 100 billion guesses per second (modern GPU cluster / ASIC throughput).

Calculation

  1. Determine charset size: Check which character classes are present (lowercase +26, uppercase +26, digits +10, symbols +33).
  2. Calculate entropy: entropy = log2(charset^length) bits.
  3. Estimate time: seconds = 2^entropy / 100,000,000,000.

Strength ratings

RatingCrack time
weakLess than 30 days
medium30 days to 1 year
strong1 year to 10 years
very-strongMore than 10 years
The function returns both a human-readable time string (e.g., “42M years”) and the strength rating.

Service-specific constraints

When generating passwords during automated resets, the generator checks the service registry for password requirements: 
{
  "minLength": 8,
  "maxLength": 64,
  "requireUppercase": true,
  "requireLowercase": true,
  "requireNumbers": true,
  "requireSymbols": false,
  "disallowedChars": "<>\"'",
  "specificSymbols": "!@#$%^&*"
}
ConstraintEffect
minLength / maxLengthOverrides the default length for the selected complexity level
requireUppercaseForces uppercase characters even for low complexity
requireLowercaseForces lowercase characters
requireNumbersForces numeric characters
requireSymbolsForces symbol characters
disallowedCharsCharacters removed from the symbol set
specificSymbolsReplaces the default symbol set with service-specific symbols
Some services have restrictive password policies (e.g., maximum 20 characters, no symbols). The generator adjusts its output to comply with these constraints to avoid reset failures.

API

The password generator exports three functions:
FunctionDescription
generatePassword(complexity, options?)Generate a password with the given complexity level. Custom options override defaults.
secureRandomInt(max)Return a cryptographically secure random integer in [0, max).
estimateCrackTime(password)Return { time, strength } for a given password string.