A lightweight, client-side password generator that creates strong, random passwords suitable for use with Microsoft, Google, Facebook, and other internet services.
No installation. No dependencies. No server. Open index.html in any modern browser and
start generating passwords.
- Open
index.htmldirectly in your browser for local use, or serve the folder from localhost / HTTPS if you want service-worker offline caching. - Adjust the settings using the toggle switches and length slider.
- Click Generate (or press Enter).
- Click Copy to copy the password to your clipboard.
That's it β no build step and no dependencies. When hosted on localhost or HTTPS, the app can also cache itself for later offline use after the first successful visit.
- Cryptographically secure β uses the browser-native
crypto.getRandomValues()API; never usesMath.random(). - Configurable β toggle character sets on/off, adjust length, and apply filters with a single click.
- Compatible β default settings produce passwords accepted by Microsoft, Google, Facebook, and virtually all other services.
- Zero dependencies β pure HTML, CSS, and JavaScript. No frameworks, no npm, no build tools.
- Private β passwords are generated entirely in your browser. Nothing is stored, logged, or sent over a network.
- Offline-capable β when served from localhost or HTTPS, a service worker precaches the app shell so the generator can reopen offline after it has been loaded once.
When the app is served from https:// or http://localhost, it registers sw.js and
precaches the core app shell:
index.htmlstyle.cssapp.js
After that first successful online load, later visits can be served from the browser cache even if the original host is temporarily unavailable.
- The first visit must be online so the service worker can install and cache the app shell.
- Service workers require a secure context (
https://) or localhost. They do not register when opening the app fromfile://. - If the browser's site data or cache is cleared, the offline copy is removed.
- Cached files are versioned in the service worker. Updating offline assets requires shipping a new service worker cache version.
| Control | Default | Range | Description |
|---|---|---|---|
| Length slider | 20 | 8 β 128 | Total number of characters in the password |
| Toggle | Default | Characters Included |
|---|---|---|
| Uppercase (AβZ) | ON | ABCDEFGHIJKLMNOPQRSTUVWXYZ |
| Lowercase (aβz) | ON | abcdefghijklmnopqrstuvwxyz |
| Digits (0β9) | ON | 0123456789 |
| Special (!@#$β¦) | ON | `!@#$%^&*()-_=+[]{} |
At least one character set must remain enabled. When a set is ON, the generated password is guaranteed to contain at least one character from that set.
| Toggle | Default | Effect |
|---|---|---|
| Exclude ambiguous | OFF | Removes 0 O o l 1 I | β useful when reading aloud |
| Exclude similar | OFF | Removes { } [ ] ( ) / \ ' " \ ~ , ; : . < >` |
| No consecutive repeats | ON | Prevents the same character from appearing twice in a row |
| Begin with a letter | OFF | Ensures the first character is always a letter (aβz, AβZ) |
The application is a single-page web app with a clear separation of concerns:
passwordgenerator/
βββ index.html UI structure and element wiring
βββ style.css All visual styling (dark theme, responsive layout)
βββ app.js Password generation engine + DOM event handling
βββ sw.js Service worker for offline app-shell caching
βββ tests.html Browser-based test suite (open in browser to run)
βββ tests.py Command-line test suite (run with: python tests.py)
βββ .github/
β βββ CODEOWNERS Requires @henrik-me ownership for workflow changes
β βββ workflows/
β βββ deploy-azure-static-web-app.yml
β Manual production deploy workflow for Azure Static Web Apps
βββ INSTRUCTIONS.md Full project specification and requirements
βββ README.md This file
The core generatePassword(options) function:
- Builds a character pool from the enabled character-set toggles.
- Applies exclusion filters (
excludeAmbiguous,excludeSimilar) by removing matched characters from the pool. - Guarantees inclusion β picks one random character from each enabled set first.
- Fills the remainder from the combined pool using
crypto.getRandomValues(). - Shuffles the result with a Fisher-Yates shuffle (also cryptographically random).
- Enforces constraints β
noConsecutiveRepeatsandbeginWithLetterare applied as post-processing passes. - Validates inputs and returns clear error messages for invalid configurations.
The generation logic is a standalone function at the top of app.js with no DOM dependencies,
making it easy to extract into a module or call from a future backend API.
- Dark theme with accessible contrast ratios.
- Pure-CSS toggle switches (styled checkboxes β no JavaScript for the switch animation).
- Responsive layout that works on desktop and mobile.
- Password output uses
user-select: allfor easy manual selection and a dedicated Copy button with brief "Copied!" feedback. - Inline error messages appear when settings are invalid (e.g., all character sets disabled).
- A password is generated automatically on page load with the default settings.
- When supported, a service worker caches the app shell so the page can load offline after the first hosted visit.
- All randomness comes from
crypto.getRandomValues()β a CSPRNG. - Passwords exist only in JavaScript memory and the clipboard. They are never written to
localStorage, cookies, disk, or any network endpoint. - No analytics, telemetry, or third-party scripts are loaded.
Tests must be run before every commit. Two equivalent test suites are provided:
Open tests.html in any browser. Results appear on-screen with a pass/fail summary.
python tests.pyRequires Python 3.6+ (uses only the standard library). Exits with code 0 on success, 1 on
failure.
The test suite covers all 11 areas specified in INSTRUCTIONS.md:
- Default generation (length, character mix)
- Length bounds (min/max, out-of-range errors)
- Individual character sets (isolation)
- Guaranteed inclusion (multi-set representation)
- Exclude ambiguous filter
- Exclude similar filter
- No consecutive repeats (on/off)
- Begin with letter (on/off, error when no letters available)
- All character sets disabled (error handling)
- Edge cases (short length, small pool, combined filters)
- Bulk / fuzz run (50 passwords under default settings)
The repository includes a manual-only GitHub Actions workflow at
.github/workflows/deploy-azure-static-web-app.yml for production deployment to Azure Static Web
Apps.
- Create an Azure Static Web App in Azure.
- Copy its deployment token into the GitHub
productionenvironment as the secretAZURE_STATIC_WEB_APPS_API_TOKEN. - Run Actions β Deploy Azure Static Web App manually from the
mainbranch. - Approve the job through the protected
productionenvironment before deployment proceeds.
- The workflow is triggered by
workflow_dispatchonly β it does not auto-deploy on pushes or pull requests. - The deploy job runs only when the selected ref is
main. - The workflow runs the existing
python tests.pysuite before deployment. - Only the app files (
index.html,style.css,app.js,sw.js) are copied into the deploy bundle, so docs and tests are not published. - Workflow file changes are covered by CODEOWNERS and routed to
@henrik-me.
With default settings, generated passwords satisfy:
| Service | Min Length | Char Types Required | β Met by Defaults |
|---|---|---|---|
| Microsoft | 8 | 3 of 4 (upper, lower, digit, sym) | Yes (all 4) |
| 8 | Mix recommended, not enforced | Yes | |
| 6 | Mix recommended, not enforced | Yes |
Important: This README must be updated whenever the application changes. Specifically:
- New features or settings β add them to the Settings Reference and Design sections.
- New files β update the Architecture file tree.
- Changed defaults β update the Settings Reference tables.
- New test categories β update the Test Coverage list.
- New service compatibility β update the Compatibility table.
- Breaking changes β note them prominently at the top of this file.
A pull request that changes functionality without updating this README is incomplete.
- Password storage / vault (with .NET backend)
- Master-password or biometric unlock
- Browser extension and auto-fill
- Password strength meter
- Passphrase generation (word-based)
- Cloud sync
See INSTRUCTIONS.md for the full project specification.
Last updated: April 2026