diff --git a/src/components/SecretForm.enhanced.test.tsx b/src/components/SecretForm.enhanced.test.tsx
new file mode 100644
index 0000000..4b4b9d6
--- /dev/null
+++ b/src/components/SecretForm.enhanced.test.tsx
@@ -0,0 +1,287 @@
+// SPDX-FileCopyrightText: 2025 SecPal
+// SPDX-License-Identifier: AGPL-3.0-or-later
+
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import { render, screen, waitFor } from "@testing-library/react";
+import userEvent from "@testing-library/user-event";
+import { SecretForm } from "./SecretForm";
+
+describe("SecretForm", () => {
+  const mockOnSubmit = vi.fn();
+  const mockOnCancel = vi.fn();
+
+  const defaultProps = {
+    onSubmit: mockOnSubmit,
+    onCancel: mockOnCancel,
+    submitLabel: "Save",
+  };
+
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  describe("Password Generator", () => {
+    it("should generate password when generate button clicked", async () => {
+      render(<SecretForm {...defaultProps} />);
+
+      const passwordInput = screen.getByLabelText("Password", { selector: "input" });
+      const generateButton = screen.getByLabelText(/generate password/i);
+
+      expect(passwordInput).toHaveValue("");
+
+      await userEvent.click(generateButton);
+
+      expect(passwordInput).not.toHaveValue("");
+      const generatedPassword = (passwordInput as HTMLInputElement).value;
+      expect(generatedPassword).toHaveLength(16);
+    });
+
+    it("should show password strength indicator when password is entered", async () => {
+      render(<SecretForm {...defaultProps} />);
+
+      const passwordInput = screen.getByLabelText("Password", { selector: "input" });
+
+      // Type weak password
+      await userEvent.type(passwordInput, "abc");
+
+      await waitFor(() => {
+        expect(screen.getByText(/weak/i)).toBeInTheDocument();
+      });
+    });
+
+    it("should update strength indicator as password improves", async () => {
+      render(<SecretForm {...defaultProps} />);
+
+      const passwordInput = screen.getByLabelText("Password", { selector: "input" });
+
+      // Type weak password
+      await userEvent.type(passwordInput, "abc");
+      await waitFor(() => {
+        expect(screen.getByText(/weak/i)).toBeInTheDocument();
+      });
+
+      // Improve to strong password
+      await userEvent.clear(passwordInput);
+      await userEvent.type(passwordInput, "MyP@ssw0rd!");
+      await waitFor(() => {
+        expect(screen.getByText(/strong/i)).toBeInTheDocument();
+      });
+    });
+
+    it("should toggle password visibility", async () => {
+      render(<SecretForm {...defaultProps} />);
+
+      const passwordInput = screen.getByLabelText(
+        "Password", { selector: "input" }
+      ) as HTMLInputElement;
+      const toggleButton = screen.getByLabelText(/show password/i);
+
+      expect(passwordInput.type).toBe("password");
+
+      await userEvent.click(toggleButton);
+      expect(passwordInput.type).toBe("text");
+
+      await userEvent.click(toggleButton);
+      expect(passwordInput.type).toBe("password");
+    });
+  });
+
+  describe("Tag Input", () => {
+    it("should add tag when Add button clicked", async () => {
+      render(<SecretForm {...defaultProps} />);
+
+      const tagInput = screen.getByPlaceholderText(/enter tag name/i);
+      const addButton = screen.getByRole("button", { name: /add/i });
+
+      await userEvent.type(tagInput, "work");
+      await userEvent.click(addButton);
+
+      expect(screen.getByText(/#work/i)).toBeInTheDocument();
+      expect(tagInput).toHaveValue("");
+    });
+
+    it("should add tag when Enter key pressed", async () => {
+      render(<SecretForm {...defaultProps} />);
+
+      const tagInput = screen.getByPlaceholderText(/enter tag name/i);
+
+      await userEvent.type(tagInput, "email{Enter}");
+
+      expect(screen.getByText(/#email/i)).toBeInTheDocument();
+      expect(tagInput).toHaveValue("");
+    });
+
+    it("should remove tag when X button clicked", async () => {
+      render(
+        <SecretForm
+          {...defaultProps}
+          initialValues={{ tags: ["work", "email"] }}
+        />
+      );
+
+      const removeButton = screen.getByLabelText(/remove tag work/i);
+      await userEvent.click(removeButton);
+
+      expect(screen.queryByText(/#work/i)).not.toBeInTheDocument();
+      expect(screen.getByText(/#email/i)).toBeInTheDocument();
+    });
+
+    it("should remove last tag on Backspace when input empty", async () => {
+      render(
+        <SecretForm
+          {...defaultProps}
+          initialValues={{ tags: ["work", "email"] }}
+        />
+      );
+
+      const tagInput = screen.getByPlaceholderText(/enter tag name/i);
+
+      // Focus input and press Backspace
+      await userEvent.click(tagInput);
+      await userEvent.keyboard("{Backspace}");
+
+      // Last tag (email) should be removed
+      expect(screen.queryByText(/#email/i)).not.toBeInTheDocument();
+      expect(screen.getByText(/#work/i)).toBeInTheDocument();
+    });
+
+    it("should not add duplicate tags", async () => {
+      render(
+        <SecretForm {...defaultProps} initialValues={{ tags: ["work"] }} />
+      );
+
+      const tagInput = screen.getByPlaceholderText(/enter tag name/i);
+
+      await userEvent.type(tagInput, "work{Enter}");
+
+      // Should still have only one "work" tag
+      const workTags = screen.getAllByText(/#work/i);
+      expect(workTags).toHaveLength(1);
+    });
+
+    it("should trim whitespace from tags", async () => {
+      render(<SecretForm {...defaultProps} />);
+
+      const tagInput = screen.getByPlaceholderText(/enter tag name/i);
+
+      await userEvent.type(tagInput, "  work  {Enter}");
+
+      expect(screen.getByText(/#work/i)).toBeInTheDocument();
+    });
+  });
+
+  describe("Expiration Date Picker", () => {
+    it("should set expiration date", async () => {
+      render(<SecretForm {...defaultProps} />);
+
+      const dateInput = screen.getByLabelText(/expiration date/i);
+
+      await userEvent.type(dateInput, "2025-12-31");
+
+      expect(dateInput).toHaveValue("2025-12-31");
+    });
+
+    it("should submit form with expiration date in ISO format", async () => {
+      render(<SecretForm {...defaultProps} />);
+
+      const titleInput = screen.getByLabelText(/title/i);
+      const dateInput = screen.getByLabelText(/expiration date/i);
+      const submitButton = screen.getByRole("button", { name: /save/i });
+
+      await userEvent.type(titleInput, "Test Secret");
+      await userEvent.type(dateInput, "2025-12-31");
+      await userEvent.click(submitButton);
+
+      await waitFor(() => {
+        expect(mockOnSubmit).toHaveBeenCalledWith(
+          expect.objectContaining({
+            title: "Test Secret",
+            expires_at: "2025-12-31T23:59:59Z",
+          })
+        );
+      });
+    });
+
+    it("should load initial expiration date", () => {
+      render(
+        <SecretForm
+          {...defaultProps}
+          initialValues={{ expires_at: "2025-12-31T23:59:59Z" }}
+        />
+      );
+
+      const dateInput = screen.getByLabelText(
+        /expiration date/i
+      ) as HTMLInputElement;
+      expect(dateInput.value).toBe("2025-12-31");
+    });
+
+    it("should have minimum date set to today", () => {
+      render(<SecretForm {...defaultProps} />);
+
+      const dateInput = screen.getByLabelText(
+        /expiration date/i
+      ) as HTMLInputElement;
+      const today = new Date().toISOString().split("T")[0];
+
+      expect(dateInput.min).toBe(today);
+    });
+  });
+
+  describe("Form Submission", () => {
+    it("should include all new features in submission", async () => {
+      render(<SecretForm {...defaultProps} />);
+
+      const titleInput = screen.getByLabelText(/title/i);
+      const passwordInput = screen.getByLabelText("Password", { selector: "input" });
+      const tagInput = screen.getByPlaceholderText(/enter tag name/i);
+      const dateInput = screen.getByLabelText(/expiration date/i);
+      const submitButton = screen.getByRole("button", { name: /save/i });
+
+      // Fill form
+      await userEvent.type(titleInput, "Test Secret");
+      await userEvent.type(passwordInput, "MyP@ssw0rd!");
+      await userEvent.type(tagInput, "work{Enter}");
+      await userEvent.type(tagInput, "important{Enter}");
+      await userEvent.type(dateInput, "2025-12-31");
+      await userEvent.click(submitButton);
+
+      await waitFor(() => {
+        expect(mockOnSubmit).toHaveBeenCalledWith({
+          title: "Test Secret",
+          username: "",
+          password: "MyP@ssw0rd!",
+          url: "",
+          notes: "",
+          tags: ["work", "important"],
+          expires_at: "2025-12-31T23:59:59Z",
+        });
+      });
+    });
+  });
+
+  describe("Accessibility", () => {
+    it("should have proper labels for new fields", () => {
+      render(<SecretForm {...defaultProps} />);
+
+      expect(screen.getByLabelText(/generate password/i)).toBeInTheDocument();
+      expect(screen.getByLabelText(/expiration date/i)).toBeInTheDocument();
+      expect(
+        screen.getByPlaceholderText(/enter tag name/i)
+      ).toBeInTheDocument();
+    });
+
+    it("should have keyboard navigation for tags", async () => {
+      render(<SecretForm {...defaultProps} />);
+
+      const tagInput = screen.getByPlaceholderText(/enter tag name/i);
+
+      // Add tags with keyboard
+      await userEvent.type(tagInput, "work{Enter}");
+      await userEvent.type(tagInput, "email{Enter}");
+
+      expect(screen.getByText(/#work/i)).toBeInTheDocument();
+      expect(screen.getByText(/#email/i)).toBeInTheDocument();
+    });
+  });
+});
diff --git a/src/components/SecretForm.tsx b/src/components/SecretForm.tsx
index a5e0604..1ae67ac 100644
--- a/src/components/SecretForm.tsx
+++ b/src/components/SecretForm.tsx
@@ -1,8 +1,9 @@
 // SPDX-FileCopyrightText: 2025 SecPal
 // SPDX-License-Identifier: AGPL-3.0-or-later
 
-import { useState, FormEvent } from "react";
+import { useState, FormEvent, useMemo } from "react";
 import { Button } from "@headlessui/react";
+import { generatePassword, assessPasswordStrength } from "../lib/passwordUtils";
 
 export interface SecretFormData {
   title: string;
@@ -23,6 +24,39 @@ export interface SecretFormProps {
   error?: string;
 }
 
+// Helper functions for password strength indicator styling
+type PasswordStrengthLevel = "weak" | "medium" | "strong" | "very-strong";
+
+function getStrengthStyles(strength: PasswordStrengthLevel): string {
+  const styles: Record<PasswordStrengthLevel, string> = {
+    weak: "w-1/4 bg-red-500",
+    medium: "w-2/4 bg-yellow-500",
+    strong: "w-3/4 bg-green-500",
+    "very-strong": "w-full bg-green-600",
+  };
+  return styles[strength] ?? styles.weak;
+}
+
+function getStrengthTextColor(strength: PasswordStrengthLevel): string {
+  const colors: Record<PasswordStrengthLevel, string> = {
+    weak: "text-red-600 dark:text-red-400",
+    medium: "text-yellow-600 dark:text-yellow-400",
+    strong: "text-green-600 dark:text-green-400",
+    "very-strong": "text-green-700 dark:text-green-300",
+  };
+  return colors[strength] ?? colors.weak;
+}
+
+function getStrengthLabel(strength: PasswordStrengthLevel): string {
+  const labels: Record<PasswordStrengthLevel, string> = {
+    weak: "Weak",
+    medium: "Medium",
+    strong: "Strong",
+    "very-strong": "Very Strong",
+  };
+  return labels[strength] ?? labels.weak;
+}
+
 /**
  * Reusable form component for creating and editing secrets
  *
@@ -53,6 +87,54 @@ export function SecretForm({
 
   const [showPassword, setShowPassword] = useState(false);
   const [validationError, setValidationError] = useState<string>("");
+  const [tagInput, setTagInput] = useState<string>("");
+
+  // Memoize password strength to avoid recalculating on every render
+  const passwordStrength = useMemo(
+    () =>
+      formData.password ? assessPasswordStrength(formData.password) : null,
+    [formData.password]
+  );
+
+  const handleGeneratePassword = () => {
+    const newPassword = generatePassword(16);
+    setFormData((prev) => ({ ...prev, password: newPassword }));
+  };
+
+  const handleAddTag = () => {
+    const tag = tagInput.trim();
+    if (tag && !formData.tags.includes(tag)) {
+      setFormData((prev) => ({
+        ...prev,
+        tags: [...prev.tags, tag],
+      }));
+      setTagInput("");
+    }
+  };
+
+  const handleRemoveTag = (tagToRemove: string) => {
+    setFormData((prev) => ({
+      ...prev,
+      tags: prev.tags.filter((tag) => tag !== tagToRemove),
+    }));
+  };
+
+  const handleTagInputKeyDown = (e: React.KeyboardEvent<HTMLInputElement>) => {
+    if (e.key === "Enter") {
+      e.preventDefault();
+      handleAddTag();
+    } else if (
+      e.key === "Backspace" &&
+      tagInput === "" &&
+      formData.tags.length > 0
+    ) {
+      // Remove last tag on backspace when input is empty
+      const lastTag = formData.tags[formData.tags.length - 1];
+      if (lastTag) {
+        handleRemoveTag(lastTag);
+      }
+    }
+  };
 
   const handleSubmit = async (e: FormEvent) => {
     e.preventDefault();
@@ -146,7 +228,47 @@ export function SecretForm({
           >
             {showPassword ? "Hide" : "Show"}
           </button>
+          <button
+            type="button"
+            onClick={handleGeneratePassword}
+            aria-label="Generate password"
+            title="Generate secure password"
+            className="rounded-md border border-zinc-300 bg-white px-3 py-2 text-sm font-medium text-zinc-700 hover:bg-zinc-50 dark:border-zinc-700 dark:bg-zinc-800 dark:text-zinc-300 dark:hover:bg-zinc-700"
+          >
+            Generate
+          </button>
         </div>
+
+        {/* Password Strength Indicator */}
+        {passwordStrength && formData.password.length > 0 && (
+          <div className="mt-2">
+            <div className="flex items-center gap-2">
+              <div className="h-2 flex-1 overflow-hidden rounded-full bg-zinc-200 dark:bg-zinc-700">
+                <div
+                  className={`h-full transition-all duration-300 ${getStrengthStyles(
+                    passwordStrength.strength as PasswordStrengthLevel
+                  )}`}
+                />
+              </div>
+              <span
+                className={`text-xs font-medium ${getStrengthTextColor(
+                  passwordStrength.strength as PasswordStrengthLevel
+                )}`}
+              >
+                {getStrengthLabel(
+                  passwordStrength.strength as PasswordStrengthLevel
+                )}
+              </span>
+            </div>
+            {passwordStrength.feedback.length > 0 && (
+              <ul className="mt-1 text-xs text-zinc-600 dark:text-zinc-400">
+                {passwordStrength.feedback.map((fb, idx) => (
+                  <li key={idx}>• {fb}</li>
+                ))}
+              </ul>
+            )}
+          </div>
+        )}
       </div>
 
       {/* URL */}
@@ -186,6 +308,87 @@ export function SecretForm({
         />
       </div>
 
+      {/* Tags */}
+      <div>
+        <label
+          htmlFor="tag-input"
+          className="block text-sm font-medium text-zinc-700 dark:text-zinc-300"
+        >
+          Tags
+        </label>
+        <div className="mt-1">
+          {/* Display existing tags */}
+          {formData.tags.length > 0 && (
+            <div className="mb-2 flex flex-wrap gap-2">
+              {formData.tags.map((tag) => (
+                <span
+                  key={tag}
+                  className="inline-flex items-center gap-1 rounded-md bg-zinc-100 px-2 py-1 text-sm text-zinc-700 dark:bg-zinc-800 dark:text-zinc-300"
+                >
+                  #{tag}
+                  <button
+                    type="button"
+                    onClick={() => handleRemoveTag(tag)}
+                    aria-label={`Remove tag ${tag}`}
+                    className="text-zinc-500 hover:text-zinc-700 dark:text-zinc-400 dark:hover:text-zinc-200"
+                  >
+                    ×
+                  </button>
+                </span>
+              ))}
+            </div>
+          )}
+          {/* Tag input */}
+          <div className="flex gap-2">
+            <input
+              type="text"
+              id="tag-input"
+              value={tagInput}
+              onChange={(e) => setTagInput(e.target.value)}
+              onKeyDown={handleTagInputKeyDown}
+              disabled={isSubmitting}
+              placeholder="Enter tag name"
+              className="block w-full rounded-md border border-zinc-300 bg-white px-3 py-2 text-sm text-zinc-900 placeholder-zinc-400 focus:border-zinc-900 focus:outline-none focus:ring-1 focus:ring-zinc-900 disabled:bg-zinc-100 dark:border-zinc-700 dark:bg-zinc-800 dark:text-white dark:focus:border-white dark:focus:ring-white"
+            />
+            <button
+              type="button"
+              onClick={handleAddTag}
+              disabled={isSubmitting || !tagInput.trim()}
+              className="rounded-md border border-zinc-300 bg-white px-4 py-2 text-sm font-medium text-zinc-700 hover:bg-zinc-50 disabled:opacity-50 dark:border-zinc-700 dark:bg-zinc-800 dark:text-zinc-300 dark:hover:bg-zinc-700"
+            >
+              Add
+            </button>
+          </div>
+          <p className="mt-1 text-xs text-zinc-500 dark:text-zinc-400">
+            Press Enter to add a tag
+          </p>
+        </div>
+      </div>
+
+      {/* Expiration Date */}
+      <div>
+        <label
+          htmlFor="expires_at"
+          className="block text-sm font-medium text-zinc-700 dark:text-zinc-300"
+        >
+          Expiration Date (Optional)
+        </label>
+        <input
+          type="date"
+          id="expires_at"
+          value={formData.expires_at?.split("T")[0] ?? ""}
+          onChange={(e) =>
+            handleChange(
+              "expires_at",
+              e.target.value ? `${e.target.value}T23:59:59Z` : ""
+            )
+          }
+          disabled={isSubmitting}
+          min={new Date().toISOString().split("T")[0]}
+          className="mt-1 block w-full rounded-md border border-zinc-300 bg-white px-3 py-2 text-sm text-zinc-900 placeholder-zinc-400 focus:border-zinc-900 focus:outline-none focus:ring-1 focus:ring-zinc-900 disabled:bg-zinc-100 dark:border-zinc-700 dark:bg-zinc-800 dark:text-white dark:focus:border-white dark:focus:ring-white"
+        />
+      </div>
+
       {/* Action Buttons */}
       <div className="flex justify-end gap-3">
         <Button
diff --git a/src/lib/passwordUtils.test.ts b/src/lib/passwordUtils.test.ts
new file mode 100644
index 0000000..e56f92e
--- /dev/null
+++ b/src/lib/passwordUtils.test.ts
@@ -0,0 +1,171 @@
+// SPDX-FileCopyrightText: 2025 SecPal
+// SPDX-License-Identifier: AGPL-3.0-or-later
+
+import { describe, it, expect } from "vitest";
+import { generatePassword, assessPasswordStrength } from "./passwordUtils";
+
+describe("password Utils", () => {
+  describe("generatePassword", () => {
+    it("should generate password with default length (16 characters)", () => {
+      const password = generatePassword();
+      expect(password).toHaveLength(16);
+    });
+
+    it("should generate password with custom length", () => {
+      const password = generatePassword(24);
+      expect(password).toHaveLength(24);
+    });
+
+    it("should include uppercase letters by default", () => {
+      const password = generatePassword(100); // Longer for better chance
+      expect(password).toMatch(/[A-Z]/);
+    });
+
+    it("should include lowercase letters by default", () => {
+      const password = generatePassword(100);
+      expect(password).toMatch(/[a-z]/);
+    });
+
+    it("should include numbers by default", () => {
+      const password = generatePassword(100);
+      expect(password).toMatch(/[0-9]/);
+    });
+
+    it("should include symbols by default", () => {
+      const password = generatePassword(100);
+      expect(password).toMatch(/[!@#$%^&*()_+\-=[\]{}|;:,.<>?]/);
+    });
+
+    it("should generate password with only lowercase when all others disabled", () => {
+      const password = generatePassword(16, {
+        uppercase: false,
+        numbers: false,
+        symbols: false,
+        lowercase: true,
+      });
+      expect(password).toMatch(/^[a-z]+$/);
+    });
+
+    it("should throw error if no character sets enabled", () => {
+      expect(() =>
+        generatePassword(16, {
+          uppercase: false,
+          lowercase: false,
+          numbers: false,
+          symbols: false,
+        })
+      ).toThrow("At least one character set must be enabled");
+    });
+
+    it("should throw error if length too short for required character sets", () => {
+      expect(() =>
+        generatePassword(2, {
+          uppercase: true,
+          lowercase: true,
+          numbers: true,
+          symbols: true,
+        })
+      ).toThrow(
+        "Password length must be at least the number of required character sets"
+      );
+    });
+
+    it("should generate different passwords on each call", () => {
+      const password1 = generatePassword();
+      const password2 = generatePassword();
+      expect(password1).not.toBe(password2);
+    });
+  });
+
+  describe("assessPasswordStrength", () => {
+    it("should rate very short password as weak", () => {
+      const result = assessPasswordStrength("abc");
+      expect(result.strength).toBe("weak");
+      expect(result.score).toBeLessThan(30);
+    });
+
+    it("should rate simple password as weak", () => {
+      const result = assessPasswordStrength("password");
+      expect(result.strength).toBe("weak");
+      expect(result.feedback).toContain("Avoid common words and patterns");
+    });
+
+    it("should rate 8-character simple password as weak to medium", () => {
+      const result = assessPasswordStrength("abcd1234");
+      expect(["weak", "medium"]).toContain(result.strength);
+    });
+
+    it("should rate password with mixed characters as strong", () => {
+      const result = assessPasswordStrength("MyP@ssw0rd!");
+      expect(["strong", "very-strong"]).toContain(result.strength);
+    });
+
+    it("should rate long diverse password as very-strong", () => {
+      // 16 chars (40 pts) + 4 char types (40 pts) = 80 pts -> very-strong
+      const result = assessPasswordStrength("Xy7#aB2$cD9!eF1@");
+      expect(result.strength).toBe("very-strong");
+      expect(result.score).toBeGreaterThanOrEqual(80);
+    });
+
+    it("should penalize repeating characters", () => {
+      const result1 = assessPasswordStrength("Abcd1234!@");
+      const result2 = assessPasswordStrength("Aaaa1234!@");
+      expect(result2.score).toBeLessThan(result1.score);
+      expect(result2.feedback).toContain("Avoid repeating characters");
+    });
+
+    it("should penalize common patterns", () => {
+      const commonPasswords = [
+        "password123",
+        "123456abc",
+        "qwerty123",
+        "admin123",
+      ];
+
+      commonPasswords.forEach((password) => {
+        const result = assessPasswordStrength(password);
+        expect(result.feedback).toContain("Avoid common words and patterns");
+      });
+    });
+
+    it("should provide helpful feedback for weak passwords", () => {
+      const result = assessPasswordStrength("abc");
+      expect(result.feedback.length).toBeGreaterThan(0);
+      expect(result.feedback).toContain(
+        "Password should be at least 8 characters"
+      );
+    });
+
+    it("should score 100 maximum", () => {
+      const result = assessPasswordStrength(
+        "VeryLongP@ssw0rd!WithManyCh@rs12345"
+      );
+      expect(result.score).toBeLessThanOrEqual(100);
+    });
+
+    it("should handle empty password", () => {
+      const result = assessPasswordStrength("");
+      expect(result.strength).toBe("weak");
+      expect(result.score).toBeLessThan(30);
+    });
+
+    it("should categorize scores correctly", () => {
+      // Test boundary conditions
+      const testCases = [
+        { password: "ab" }, // < 30 - weak
+        { password: "abcd1234" }, // ~30-50 - weak to medium
+        { password: "Abcd1234" }, // ~50-60 - medium
+        { password: "Abcd1234!" }, // ~60-85 - strong
+        { password: "Xy7#aB2$cD9!" }, // ~85+ - strong/very-strong
+      ];
+
+      testCases.forEach(({ password }) => {
+        const result = assessPasswordStrength(password);
+        // All passwords should return a valid strength category
+        expect(["weak", "medium", "strong", "very-strong"]).toContain(
+          result.strength
+        );
+      });
+    });
+  });
+});
diff --git a/src/lib/passwordUtils.ts b/src/lib/passwordUtils.ts
new file mode 100644
index 0000000..3594bf0
--- /dev/null
+++ b/src/lib/passwordUtils.ts
@@ -0,0 +1,223 @@
+// SPDX-FileCopyrightText: 2025 SecPal
+// SPDX-License-Identifier: AGPL-3.0-or-later
+
+/**
+ * Password utility functions for generation and strength assessment
+ */
+
+/**
+ * Get a cryptographically secure random integer in range [0, max)
+ * @param max - Upper bound (exclusive)
+ * @returns Random integer
+ */
+function getSecureRandomInt(max: number): number {
+  const randomBuffer = new Uint32Array(1);
+  crypto.getRandomValues(randomBuffer);
+  const randomValue = randomBuffer[0];
+  if (randomValue === undefined) {
+    throw new Error("Failed to generate random value");
+  }
+  return Math.floor((randomValue / (0xffffffff + 1)) * max);
+}
+
+/**
+ * Generate a secure random password
+ *
+ * @param length - Password length (default: 16)
+ * @param options - Character set options
+ * @returns Generated password
+ *
+ * @example
+ * ```ts
+ * const password = generatePassword();
+ * console.log(password); // e.g., "Xy7#aB2$cD9!eF1@"
+ * ```
+ *
+ * @security
+ * Uses `crypto.getRandomValues()` for cryptographically secure random number generation.
+ * All randomness (character selection and shuffling) is cryptographically secure.
+ */
+export function generatePassword(
+  length: number = 16,
+  options: {
+    uppercase?: boolean;
+    lowercase?: boolean;
+    numbers?: boolean;
+    symbols?: boolean;
+  } = {}
+): string {
+  const {
+    uppercase = true,
+    lowercase = true,
+    numbers = true,
+    symbols = true,
+  } = options;
+
+  const uppercaseChars = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
+  const lowercaseChars = "abcdefghijklmnopqrstuvwxyz";
+  const numberChars = "0123456789";
+  const symbolChars = "!@#$%^&*()_+-=[]{}|;:,.<>?";
+
+  let charset = "";
+  const requiredChars: string[] = [];
+
+  if (uppercase) {
+    charset += uppercaseChars;
+    const char = uppercaseChars[getSecureRandomInt(uppercaseChars.length)];
+    if (char) requiredChars.push(char);
+  }
+  if (lowercase) {
+    charset += lowercaseChars;
+    const char = lowercaseChars[getSecureRandomInt(lowercaseChars.length)];
+    if (char) requiredChars.push(char);
+  }
+  if (numbers) {
+    charset += numberChars;
+    const char = numberChars[getSecureRandomInt(numberChars.length)];
+    if (char) requiredChars.push(char);
+  }
+  if (symbols) {
+    charset += symbolChars;
+    const char = symbolChars[getSecureRandomInt(symbolChars.length)];
+    if (char) requiredChars.push(char);
+  }
+
+  if (charset === "") {
+    throw new Error("At least one character set must be enabled");
+  }
+
+  // Generate remaining characters
+  const remainingLength = length - requiredChars.length;
+  if (remainingLength < 0) {
+    throw new Error(
+      "Password length must be at least the number of required character sets"
+    );
+  }
+
+  const password = [...requiredChars];
+  for (let i = 0; i < remainingLength; i++) {
+    const randomIndex = getSecureRandomInt(charset.length);
+    const char = charset[randomIndex];
+    if (char) password.push(char);
+  }
+
+  // Shuffle the password array (Fisher-Yates)
+  for (let i = password.length - 1; i > 0; i--) {
+    const j = getSecureRandomInt(i + 1);
+    [password[i], password[j]] = [password[j]!, password[i]!];
+  }
+
+  return password.join("");
+}
+
+export type PasswordStrength = "weak" | "medium" | "strong" | "very-strong";
+
+export interface PasswordStrengthResult {
+  strength: PasswordStrength;
+  score: number; // 0-100
+  feedback: string[];
+}
+
+/**
+ * Assess password strength
+ *
+ * Checks for:
+ * - Length (minimum 8 characters)
+ * - Character diversity (uppercase, lowercase, numbers, symbols)
+ * - Common patterns (e.g., "12345", "password")
+ *
+ * @param password - Password to assess
+ * @returns Strength assessment
+ *
+ * @example
+ * ```ts
+ * const result = assessPasswordStrength("MyP@ssw0rd!");
+ * console.log(result.strength); // "strong"
+ * console.log(result.score); // 85
+ * ```
+ */
+export function assessPasswordStrength(
+  password: string
+): PasswordStrengthResult {
+  const feedback: string[] = [];
+  let score = 0;
+
+  // Length check
+  if (password.length < 8) {
+    feedback.push("Password should be at least 8 characters");
+  } else if (password.length >= 8 && password.length < 12) {
+    score += 20;
+  } else if (password.length >= 12 && password.length < 16) {
+    score += 30;
+  } else {
+    score += 40;
+  }
+
+  // Character diversity
+  const hasUppercase = /[A-Z]/.test(password);
+  const hasLowercase = /[a-z]/.test(password);
+  const hasNumbers = /[0-9]/.test(password);
+  const hasSymbols = /[^A-Za-z0-9]/.test(password);
+
+  const diversityCount = [
+    hasUppercase,
+    hasLowercase,
+    hasNumbers,
+    hasSymbols,
+  ].filter(Boolean).length;
+
+  if (diversityCount === 1) {
+    score += 10;
+    feedback.push("Use a mix of uppercase, lowercase, numbers, and symbols");
+  } else if (diversityCount === 2) {
+    score += 20;
+    feedback.push("Add more character types for better security");
+  } else if (diversityCount === 3) {
+    score += 30;
+  } else if (diversityCount === 4) {
+    score += 40;
+  }
+
+  // Common patterns check
+  const commonPatterns = [
+    "password",
+    "123456",
+    "qwerty",
+    "abc123",
+    "letmein",
+    "welcome",
+    "monkey",
+    "admin",
+    "login",
+    "passw0rd",
+  ];
+
+  const lowerPassword = password.toLowerCase();
+  if (commonPatterns.some((pattern) => lowerPassword.includes(pattern))) {
+    score = Math.max(0, score - 30);
+    feedback.push("Avoid common words and patterns");
+  }
+
+  // Sequential characters
+  if (/(.)\1{2,}/.test(password)) {
+    score = Math.max(0, score - 10);
+    feedback.push("Avoid repeating characters");
+  }
+
+  // Cap score at 100
+  score = Math.min(100, score);
+
+  // Determine strength category
+  let strength: PasswordStrength;
+  if (score < 30) {
+    strength = "weak";
+  } else if (score < 60) {
+    strength = "medium";
+  } else if (score < 80) {
+    strength = "strong";
+  } else {
+    strength = "very-strong";
+  }
+
+  return { strength, score, feedback };
+}