A modern password and passphrase generator that runs in the browser. Generation is entirely client-side; secrets are never sent to this app’s server.
| Password mode | Length, upper/lowercase, digits, symbols, and optional exclusion of ambiguous characters (0, O, l, I, etc.) |
| Passphrase | BIP39 English wordlist; word count, separator (space, hyphen, dot), optional capitalization |
| Entropy | Approximate strength in bits with a plain-language label |
| Have I Been Pwned | Optional breach check: only the first 5 hex characters of the SHA-1 hash are sent to the API (k-anonymity) |
| UI | Dark / light theme, copy to clipboard, responsive layout |
- Randomness:
crypto.getRandomValuesplus rejection sampling to avoid modulo bias (randomIntBelow). - Generated passwords and passphrases are not persisted by this application’s server; they live in memory until you leave or refresh the page (browser-dependent).
- With Pwned checking enabled, the full password still never leaves your device; only the prefix required by HIBP’s range API is transmitted.
For high-value accounts, prefer a hardware key or a trusted password manager when possible; this tool is for fast, transparent generation.
- Next.js 16 (App Router)
- React 19
- TypeScript
- Tailwind CSS 4
npm install
npm run devOpen http://localhost:3000 in your browser.
npm run build # production build
npm run start # run the production server
npm run lint # ESLintsrc/
├── app/
├── components/
│ └── KeyForgeApp.tsx
└── lib/
├── char-pools.ts
├── generate-password.ts
├── generate-passphrase.ts
├── password-entropy.ts
├── pwned-check.ts
└── secure-random.ts
See the Next.js deployment guide—for example host the output of npm run build on Vercel.
If the repository has no LICENSE file, add one that matches how you want others to use the project.