Generate passwords with Alfred
Latest commit ed0a6c8 Feb 26, 2017 @deanishe Fix issue number

Alfred Password Generator

Generate secure random passwords from Alfred. Uses /dev/urandom as source of entropy.

Alfred Password Generator Demo


  • Passwords can be generated based on strength or length.
  • Offers multiple generators, including based on real words and pronounceable pseudo-words generated with Markov chains.
  • Shows the strength of each generated password.
  • More convenient that 1Password or the like.
  • More dependable than online generators.



Download from the GitHub releases or Packal and double-click the downloaded file to install.


  • pwgen [<strength>] — Generate passwords of specified strength. Default is 3 (96 bits of entropy). See Password strength for details.
    • or ⌘+C — Copy the selected password to the clipboard.
    • ⌘+↩ — Copy the selected password to the clipboard and paste it to the frontmost application.
    • ⌘+L — Show the selected password in Alfred's Large Text window.
  • pwlen [<length>] — Generate passwords of specified length. Default is 20. See Password strength for details.
    • or ⌘+C — Copy the selected password to the clipboard.
    • ⌘+↩ — Copy the selected password to the clipboard and paste it to the frontmost application.
    • ⌘+L — Show the selected password in Alfred's Large Text window.
  • pwconf [<query>] — View and edit workflow settings. See Configuration for details.

Note: Word-based generators may provide passwords that are slightly longer than <length>.

Password strength

Passwords can be specified either by strength or length. The default strength is 3, which is at least 96 bits of entropy (each level is 32 bits). You may also specify the desired number of bits by appending b to your input, e.g. pwgen 128b will provide at least 128 bits of entropy.

Default length is 20 characters, which can provide ~50 to ~130 bits of entropy depending on generator.

Each password has its strength in the result subtitle. This is shown either as a bar or in bits of entropy, depending on your settings. Each full block in the bar represents 32 bits of entropy. The icon shown next to each password also reflects its strength:

Icon Strength (bits of entropy)
Strength >= 96b
Strength > 64b and < 96b
Strength <= 64b


"Entropy" is cryptographese for "randomness".

How strong should my passwords be?

That depends on what you're using it for and how long you want it to remain secure. As of 2015, custom password-guessing hardware (built from standard PC components) can guess >45 billion passwords per second.

The average number of guesses required to crack a password with n bits of entropy is 2n-1, so 2,147,483,647 guesses for a 32-bit password. Or 0.048 seconds with the above hardware.

Fortunately, every added bit doubles the amount of entropy, so 64 bits is a good deal stronger: 6.5 years on average to guess on the same hardware.

Level Min. entropy Av. time to guess * Application
1 32 bits 0.048 seconds Stuff you want to be super easy to crack?
2 64 bits 6.5 years Web accounts, WiFi passwords
3 96 bits 280 million years Almost anything
4 128 bits billions of times the age of the universe Toppest-secret stuff, e.g. encryption keys **

* = based on 45 billion guesses per second.
** = symmetric encryption keys. SSL certificates, for example, use asymmetric keys, which offer much less security per bit. A 1024-bit RSA key has roughly equivalent security to an 80-bit symmetric key.

The default password strength level of 3 (96 bits) provides very secure passwords.

The default password length of 20 characters provides reasonably to very secure passwords, depending on the generator.

Displayed strength

By default, the strength of generated passwords is shown as a bar in the result subtitle. Each full block represents 32 bits of entropy, so 2 blocks represents a pretty secure password, 3 or more a very secure password.

You can have the precise number of bits displayed instead by toggling the "Strength Bar" setting in the Configuration (keyword pwconf).

How can passwords of the same length have different levels of security?

Passwords of the same length (or even the self-same password) generated using different techniques have different strengths because the strength is determined by the permutations in the algorithm and the password length, not the password itself.

For example, the single-digit password 1 has an entropy of 3.32 bits when generated by the Numeric algorithm because it is one of only 10 possible one-digit passwords. The same password generated by the ASCII algorithm has an entropy of 5.95 bits because it is one of 62 possible one-character passwords.

Of course, that's just in theory. A password generated by the German generator is theoretically more secure than the same password generated by the ASCII-only one because the former has more possible passwords of any given length. That only holds in practice if an attacker is also guessing passwords based on the German alphabet. If they're guessing based on ASCII, and the password only contains ASCII characters, the password is naturally as easily guessed as if it had been generated by the ASCII generator.

See Password strength on Wikipedia for more information.


Access the configuration options with the pwconf keyword. You can use an optional query to filter the available options, e.g. use pwconf gen to show only the available generators.

The following configuraton options are available:

Open Help

Action this item to open this README in your browser.

An Update is Available / No Update is Available

The workflow checks for a new version once a day. If one is available, "An Update is Available" will be shown. Action this item to install the update.

If no update is available, "No Update is Available" will be shown. Action this item to force a check for an update.

Default Password Strength

The default strength for passwords generated with pwgen. For strength n, passwords will have n*32 bits of entropy. Default is 3, which should be proof against anything but the NSA. 4 will generate extremely secure passwords.

Action this item to enter a new default strength.

Default Password Length

The default length in characters for passwords generated with pwlen. The default of 20 provides passwords that are reasonably to very secure, depending on the generator.

Action this item to enter a new default length.

Strength Bar

By default, password strength is indicated by a number of blocks. Each full block represents 32 bits of entropy, so 3 blocks is secure, 4 is very secure. Less that 3 blocks should be avoided.

Alternatively, strength can be shown as the number of bits of entropy.

Action this item to toggle the strength bar on/off.


All the available generators are listed below the other options.

Active generators have a checked green circle as their icon, inactive ones have an empty red circle icon.

Action a generator to toggle it on or off.

Built-in generators

See below for details of how to add your own custom generators.

The workflow includes 10 built-in generators, of which 6 are active by default. You can activate/deactivate them in the Configuration.

Note: Word-based password generators return passwords with their component words joined by hyphens. These hyphens are not included in the calculation of the password strength, so removing them will leave you with a password of the stated strength.

Active generators

These generators are active by default.

ASCII Generator

Generates passwords based on all ASCII characters, minus a few punctuation marks that can be hard to type, such as \`~ (backslash, backtick, tilde).

Alphanumeric Generator

Generates passwords from ASCII letters and digits. No punctuation.

Clear Alphanumeric Generator

Generates passwords from ASCII letters and digits, excluding the easily-confused characters lO01 (lowercase L, uppercase O, the digits 1 and 0).

Numeric Generator

Generates digit-only passwords.

Pronounceable Nonsense Generator

Generates pronounceable passwords based on nonsense words. Based on this Stack Overflow answer.

Dictionary Generator

Generates passwords based on the words in /usr/share/dict/words.

Inactive generators

These generators are inactive by default. They can be turned on in the Configuration.

Pronounceable Markov Generator

Generates semi-pronounceable passwords based on Markov chains and the start of A Tale of Two Cities.

Has slightly more entropy than the Pronounceable Nonsense generator, but the passwords aren't quite as pronounceable.

Hexadecimal Generator

Generate passwords using hexadecimal characters (0-9, a-f).

German Generator

Generate passwords using the German alphabet, digits and punctuation.

German Alphanumeric Generator

Generate passwords using the German alphabet and digits without punctuation.

German Pronounceable Markov Generator

Generates semi-pronounceable passwords based on Markov chains and the start of Buddenbrooks.

Custom generators

You can easily add your own custom password generators. These must be placed in the directory ~/Library/Application Support/Alfred 2/Workflow Data/net.deanishe.alfred-pwgen/generators/. If you put your custom generators in the workflow itself, they will be deleted when the workflow is updated. You can quickly open up the above directory by entering the Alfred-Workflow magic argument workflow:opendata as your query, e.g. pwconf workflow:opendata.

Note: Your generators will be deactivated by default. You must manually activate them using pwconf to use them.

Modules containing your custom generators must be named

Only files matching the pattern gen_*.py will be imported.

Your generator classes must subclass generators.PassGenBase or generators.WordGenBase, which are abstract base classes, and must have id, name, description and data properties. These have the following purposes:

Property Purpose
id Short name for your generator; used internally.
name The human-readable name; shown in the configuration.
description The longer description shown beneath the generator name in the configuration.
data Return a sequence of the characters to generate passwords from.

The data property is used by the entropy property and password() method on the PassGenBase base class.

PassGenBase is designed for character-based passwords, i.e. data returns a string or other sequence of single characters. WordGenBase is for word-based passwords, i.e. data returns a sequence of multi-character strings. The main difference is in the implementation of length-based passwords.

Important: data must return a sequence (string, list or tuple) not a generator or set. If random.choice() chokes on it, it's no good.


A generator to produce German passwords (i.e. possibly including letters like 'ü' or 'ä'):

import string
from generators import PassGenBase, punctuation
# punctuation is `string.punctuation` minus a few
# problematic/hard-to-type symbols (e.g. backslash)

class GermanGenerator(PassGenBase):
    """Generate passwords containing umlauts."""

    def id(self):
        return 'deutsch'

    def name(self):
        return 'German'

    def description(self):
        return 'German alphabet, digits and punctuation'

    def data(self):
        return string.ascii_letters + string.digits + punctuation + 'üäöÜÄÖß'

A word-based generator to produce Swedish passwords might look like this:

from generators import WordGenBase

class BorkGenerator(WordGenBase):

    def id(self):
        return 'bork'

    def name(self):
        return 'Bork'

    def description(self):
        return 'Borked password generator'

    def data(self):
        return ['bork', 'bork', 'bork']

Licensing, thanks

This workflow is released under the MIT Licence, which is included as the LICENCE file.

The code for the Markov chain comes from a SimonSapin snippet, and the gibberish-generating code is from a Greg Haskins StackOverflow answer.

It is heavily based on the Alfred-Workflow library, also released under the MIT Licence.

The workflow icon is from the Elusive Icons webfont (licence).

The other icons are based on the Font Awesome webfont (licence).


Version 1.0 (2015-07-28)

Initial release

Version 1.1 (2015-07-28)

  • Replace default Markov pronounceable generator with gibberish
  • Rename Dictionary generator module
  • Add licence and licensing info
  • Improve usage description in README
  • Add generator descriptions to README
  • Add strength bar toggle to configuration
  • Improve filtering in configuration

Version 1.2 (2015-07-31)

  • Add separate base class for word-based generators
  • Add custom (user) generator support
  • Refactor built-in generators

Version 1.3 (2015-11-03)

  • Change id_ property of generators to id

Version 2.0 (2017-02-26)

  • Icons reflect password strength
  • Alfred 3 only
  • Option to turn notifications off #3
  • Fix syntax error #5