Secure Password Generator

Quick start

Open Secure-Password-Generator.html in any modern browser and it works. No install, no config.

Open the HTML file in a browser (double-click, or serve it however you like).
Pick a mode — Simple → High Security, Custom, or Passphrase.
Set QTY and click Generate.
Click any masked card to reveal/copy, or use Copy All / Export .txt.

Security model

The whole point of the tool. Randomness is cryptographic, nothing is stored, and the file proves its own integrity.

Property	Detail
Randomness	All randomness comes from `crypto.getRandomValues()` (CSPRNG). `Math.random()` is never used anywhere.
Unbiased selection	The internal `secureRand()` uses rejection sampling, so there is no modulo bias — even across large word pools.
Zero persistence	No `localStorage`, no `sessionStorage`, no cookies, no server calls. Passwords live only in memory.
Client-side only	The entire app is one HTML file. Nothing is transmitted or logged.
Integrity hash	The footer shows a live SHA-256 of the page's own source. Publish that hash internally so users can verify the file hasn't been tampered with.
Clipboard hygiene	The clipboard pill lights when a password is copied, can be clicked to clear, and auto-clears after 8 seconds.

Air-gapped copies

The only outbound request the file makes is to Google Fonts for the display typeface. Remove the <link> tags in <head> for a fully zero-network copy.

Modes

Five fixed character-set modes, a fully custom builder, and a Diceware passphrase mode.

Fixed character-set modes

Each guarantees at least one character from every enabled class, fills the rest from the combined pool, then shuffles.

Mode	Length	Character set
Simple	12	A–Z, a–z, 0–9, `! - +`
Medium	16	A–Z, a–z, 0–9, `! @ # $ % ^ & * - _ + =`
Complex	24	adds `( ) [ ] { } < > ? / \|`
Extended	32	adds ~ `
High Security	64	adds `: ;` — maximum density and length

Custom

Full control over the pool, length (1–256), and structural constraints. Toggle Uppercase, Lowercase, Numbers, and Symbols independently.

Starts with letter — first character is always a letter.
No adjacent repeats — no character appears twice in a row.
Min 3 of each class — guarantees at least 3 chars from each enabled class.

Eight one-click presets set length, classes, filters, and constraints together:

Preset	Length	Notes
Service Account (AD Safe)	28	CLI-safe · starts with letter · min classes
Linux / CLI Safe Secret	24	CLI-safe symbols only
API Key / Token	48	alphanumeric, no symbols
Database Password	24	CLI-safe · no symbols · min classes
NIST SP 800-63B	20	non-ambiguous · all classes
Microsoft Azure AD	16	CLI-safe · min classes
AWS Secret Manager	32	alphanumeric · CLI-safe
WiFi WPA3	20	non-ambiguous · all classes

Passphrase

Word-based credentials from the EFF Large Wordlist (7,776 words, ~12.92 bits/word). The default is strict EFF Diceware — space-separated, no transforms — the recommended mode for any credential you must type or memorise.

Pool Depth — 1,000 / 2,000 / 4,000 / 7,776 words. Smaller pools read more easily; the full pool gives full EFF entropy.
Verbosity — Default (3–4), Extra (5–7), Advanced (7–9), Maximum (10–14) words.
Syntax — structures output as Subject·Verb·Object or Adjective·Noun for more pronounceable phrases.
Additional separators & transforms — off = strict Diceware; on = varied delimiters and transforms driven by Intensity.
Intensity — how aggressive the transforms and delimiter variety get in non-strict mode.

Global filters

Two toggles that apply on top of any mode. A warning appears if a filter empties the pool.

Non-Ambiguous

Strips visually confusable characters (0 1 O I L l o | / \ space . : ;). Use for printed or read-aloud credentials.

CLI-Safe

Strips shell-hostile characters (? " ' ` $ \ | < > & and space). Use for terminals, connection strings, and config files.

Output & card metadata

Each result is a card with live metadata. The strip below mirrors what every card shows.

Char Len28

Entropy184 bits

TierStrong

ResistPractically forever

Field	Meaning
Char Len	Total character count, including separators.
Entropy	Estimated bits of entropy for that specific value.
Tier	Strength classification (Moderate / Strong / etc.).
Resist	Estimated crack time at ~1 trillion guesses/second.

Card actions: click a card to copy it; click the eye to reveal a masked value; hold to peek. A stale badge appears when you change settings after generating.

Toolbar: Generate, Copy All (unmasked), Clear, Export .txt (timestamped, with a full metadata header), and Mask Output. Ctrl+P / File → Print produces a clean credential sheet.

How entropy is calculated

Different modes use different, honest estimates rather than one inflated number.

Fixed / Custom: length × log2(pool size). Custom subtracts a small penalty for constraints (min-classes, starts-with-letter) and shows the deduction inline.
Strict EFF passphrase: exactly words × log2(7776) ≈ 12.92 bits/word.
Syntax-engine passphrase: averages the log2 of each role pool's size.
Non-strict passphrase: pool-size based, with small bonuses for capitalisation and numeric suffixes.

Resist-time labels run from "< 1 minute" up to "Practically forever," keyed to the bit count.

Keyboard shortcuts

Ctrl + EnterGenerate new passwords Ctrl + SpaceToggle mask on/off Ctrl + Shift + BackspaceSyntax Overdrive — 10 rapid generations, then lock EscapeClose any open panel

SECURED pill commands

Click the SECURED pill (top-right), then type within 5 seconds.

noclipDisable clipboard copy — pill pulses red while active clipRe-enable clipboard

Awesome Mode

A green-on-black "Cryptographic Flavor Generator" skin with animated Matrix rain, hidden behind Corp mode. By design, Corp mode leaks no hint that it exists — these are the ways in.

Entering & exiting

Ctrl + Alt + ShiftToggle Awesome Mode on/off — the keyboard route in and out awesomeType into the SECURED pill (within 5s of clicking it) to switch on corpType into the SECURED pill to return to Corp mode

The Ctrl + Alt + Shift shortcut is intentionally absent from Corp mode's About panel — it only surfaces in the in-app reference once you're already in Awesome Mode. It's documented here because this is the full maintainer reference.

In passphrase mode, Awesome Mode adds a Flavor System: 16 themed word pools (D&D, Gibson, Star Trek, Star Wars, Cosmic Horror, Mythology, Linux Kernel, Corp Speak, Pirate, Dune, Dark Souls, Latin, Tolkien, Victorian, Arthurian, Hacker) you can blend into passphrases.

Conflicts — incompatible flavor pairs trigger a flash; click it to generate a Mutation card blending both pools.
Synergies — compatible pairs trigger a flash; click it for a Synergy Bonus card with dual output.
Intensity tiers drive the rain speed and colour: stable → volatile → chaotic → breach.
Insane Mode — activate all 16 flavors at once for a special skin.

This is cosmetic flavour layered on the same CSPRNG engine — it does not weaken the underlying entropy.

Acceptable use

Generate credentials for work accounts, service accounts, and internal systems.
Store generated values only in your approved password manager.
Never share passwords over unencrypted channels (email, chat).
Verify the footer SHA-256 against the published value before use on sensitive systems.
Always use the copy distributed from your official internal source.

Questions: contact your IT Security team via the internal helpdesk.

Technical notes

Single file. All HTML, CSS, and JS — including the full 7,776-word EFF wordlist — are inline. Nothing else is required to run it.
No dependencies / no build. Pure vanilla JS; works offline once fonts are cached or the font links are removed.
Browser support. Any modern browser with the Web Crypto API (crypto.getRandomValues, crypto.subtle).
Wordlist source. EFF Large Wordlist — eff.org/dice — CC BY 3.0 US.