secretgenerator v2.0.0 ↗ github

home / password

secretgenerator · password

Auditable random password generator

Uses the OS CSPRNG with rejection sampling, no modulo bias. Default 20 characters at ~119 bits — well above the NIST SP 800-63B-4 floor. Class requirements (lower, upper, digit, symbol) are guaranteed, not nudged.

defaults

length 20
charset alphanum-v1
min entropy 80 bits (NIST floor)
algorithm crypto/rand + rejection sampling

generate

runs in your browser · WebAssembly · same code as the CLI

cli

Default 20-char alphanumeric
secretgenerator password --json --show-crack-time
24-char with all classes guaranteed
secretgenerator password --length 24 --charset alphanum-symbols-v1 --require-classes lower,upper,digit,symbol --json
Pin schema for safe parsing
secretgenerator password --require-schema-version=1 --json

snippets

Python generate_password.py 
import secretgenerator_py as sg

result = sg.password(length=24, charset="alphanum-symbols-v1", require_classes="lower,upper,digit,symbol")
print(result["password"], "—", result["entropy_bits"], "bits")
Node.js generate-password.mjs 
import { execFileSync } from "node:child_process";

const json = execFileSync("secretgenerator", [
  "password", "--json", "--require-schema-version=1",
  "--length", "24", "--charset", "alphanum-symbols-v1", "--require-classes", "lower,upper,digit,symbol"
], { encoding: "utf8" });
const out = JSON.parse(json);
console.log(out.password, "—", out.entropy_bits, "bits");
Rust main.rs 
use secretgenerator::{password, PasswordOptions};

let r = password(PasswordOptions::default().length(24).charset("alphanum-symbols-v1").require_classes("lower,upper,digit,symbol"))?;
println!("{} ({:.1} bits)", r.password, r.entropy_bits);
# Ok::<_, secretgenerator::Error>(())
Go main.go 
package main

import (
	"fmt"
	"github.com/rafaelperoco/secretgenerator/pkg/secretgen"
)

func main() {
	res, err := secretgen.Password(secretgen.PasswordOptions{
		Length: 24,
		CharsetID: "alphanum-symbols-v1",
		RequiredClasses: "lower,upper,digit,symbol",
	})
	if err != nil { panic(err) }
	fmt.Printf("%s (%.1f bits)\n", res.Password, res.EntropyBits)
}

faq

Is this safer than letting Claude or ChatGPT generate the password?

Yes. Recent studies show LLMs produce passwords with ~20 bits of effective entropy regardless of what they claim — they cannot uniformly sample. secretgenerator delegates to the OS CSPRNG so every output is uniform across the chosen charset.

Why does the JSON output omit the password by default in some commands?

It does not for password — the password field is part of schema v1. The entropy subcommand omits it because the caller already has the candidate. See docs/SCHEMA.md.

Can I disable the entropy floor?

Pass --allow-weak. The output will carry a warning entry that propagates to the audit log so the deviation is recorded.

related

↗ passphrase ↗ secret ↗ api-key ↗ pin