home / pin
secretgenerator · pin
Auditable numeric PIN generator
PINs are intrinsically low-entropy (a 4-digit PIN carries only ~13 bits) so the subcommand requires --acknowledge-low-entropy. Output is rejected when it matches all-same-digit, strict sequences, the DataGenetics-2012 top-20 most-common PINs, calendar years, or short repetitions. Use only with rate-limited verifiers.
defaults
| digits | 6 (~19.9 bits) |
| blocklist | Top-20 + sequences + years |
| acknowledgement | Required |
generate
runs in your browser · WebAssembly · same code as the CLIcli
Default 6 digits
secretgenerator pin --acknowledge-low-entropy --json
8 digits with crack time
secretgenerator pin --digits 8 --acknowledge-low-entropy --show-crack-time --json
Disable blocklist (NOT RECOMMENDED)
secretgenerator pin --acknowledge-low-entropy --allow-weak-pattern --json
snippets
Python generate_pin.py
import secretgenerator_py as sg result = sg.pin(digits=6) print(result["password"], "—", result["entropy_bits"], "bits")
Node.js generate-pin.mjs
import { execFileSync } from "node:child_process";
const json = execFileSync("secretgenerator", [
"pin", "--json", "--require-schema-version=1",
"--digits", "6", "--acknowledge-low-entropy"
], { encoding: "utf8" });
const out = JSON.parse(json);
console.log(out.password, "—", out.entropy_bits, "bits"); Rust main.rs
use secretgenerator::{pin, PinOptions};
let r = pin(PinOptions::default().digits(6))?;
println!("{} ({:.1} bits)", r.password, r.entropy_bits);
# Ok::<_, secretgenerator::Error>(()) faq
Why require --acknowledge-low-entropy?
Forcing the caller to spell it out makes accidental misuse loud. PINs belong on rate-limited verifiers (banking apps, hardware tokens) — never as primary authenticators.
What's in the weak-pattern blocklist?
All-same-digit (1111), strict sequences (1234, 9876), short repetitions (1212, 123123), the DataGenetics 2012 top-20 most-common PINs, and four-digit calendar years from 1900–2099.