random,
and we show the math.
passgen draws every character from crypto.randomBytes with rejection sampling so each one is uniform. then it tells you, in bits, how strong what you got is — and roughly how long it'd take a gpu farm to crack.
npm i -g @v0idd0/passgen
how many bits is enough?
passgen labels every output against a four-band rail. assumes an offline attacker at 1011 guesses/sec against a fast hash — bcrypt / argon2 servers are 10⁶× slower, so even “reasonable” is comfortable in real life.
default password
16 chars · entropy 103.1 bits
strength: very strong
diceware passphrase
5 words · 1024-word list
entropy 50 bits
system rejects symbols
letters + digits only
entropy ≈ 142 bits
seed file for ci
tokens, one per line. for
scripted provisioning.
three places it earns its keep.
npm
$ npm i -g @v0idd0/passgen
node 14+ on linux / macos / windows. zero runtime deps. uses node's built-in crypto module.
shell
$ passgen --json | jq -r .password \
| xclip -selection clipboard
generate, copy, move on. the --json form gives you password + bits + strength + crack time as one object.
memorable login
$ passgen -p --words 5 \
--capitalize --number-suffix
~63 bits of memorable phrase. better than “P@ssw0rd2024” on every axis — entropy, recall, typo rate.
most password generators just print a string. this one shows you the bits. a number you can defend in a security review beats “trust me, it's strong” every time.
no telemetry. no signup. no “upgrade for the enterprise rule pack.” mit forever, even if vøiddo dies tomorrow — the source is public and the npm package is yours to fork.