https://github.com/didrod205/entropass
Generate strong, bias-free passwords (random/pronounceable/PIN) and measure strength — entropy & crack time — 100% locally. Zero deps. Web app + library.
https://github.com/didrod205/entropass
crypto csprng entropy passphrase password password-generator password-strength secure-random security zero-dependency
Last synced: 11 days ago
JSON representation
Generate strong, bias-free passwords (random/pronounceable/PIN) and measure strength — entropy & crack time — 100% locally. Zero deps. Web app + library.
- Host: GitHub
- URL: https://github.com/didrod205/entropass
- Owner: didrod205
- License: mit
- Created: 2026-05-30T12:05:55.000Z (28 days ago)
- Default Branch: main
- Last Pushed: 2026-06-02T03:24:08.000Z (25 days ago)
- Last Synced: 2026-06-02T05:12:22.008Z (25 days ago)
- Topics: crypto, csprng, entropy, passphrase, password, password-generator, password-strength, secure-random, security, zero-dependency
- Language: TypeScript
- Homepage: https://didrod205.github.io/entropass/
- Size: 52.7 KB
- Stars: 1
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- Contributing: CONTRIBUTING.md
- Funding: .github/FUNDING.yml
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md
Awesome Lists containing this project
README
# 🔐 entropass
### Generate strong, bias-free passwords — and actually measure their strength. Locally.
[](https://www.npmjs.com/package/entropass)
[](https://bundlephobia.com/package/entropass)
[](https://github.com/didrod205/entropass/actions/workflows/ci.yml)
[](https://www.npmjs.com/package/entropass)
[](./LICENSE)
**[🌐 Try the free web app →](https://didrod205.github.io/entropass/)** · generate & test passwords in your browser. Nothing is ever sent anywhere.
---
Two uncomfortable truths about passwords:
1. **Most online password generators are a terrible idea.** You're asking a
stranger's server to mint (and potentially log) your secret. A password tool
should run on *your* machine.
2. **Most password code is subtly insecure.** The everyday `chars[random % chars.length]`
has **modulo bias** — some characters become more likely than others, shrinking
the real keyspace. It "looks random," but it isn't uniform.
**entropass** fixes both. It uses the platform CSPRNG with **rejection sampling**
for truly uniform, bias-free output, tells you the **exact entropy and crack
time** of what it makes, and runs **100% locally** — zero dependencies, no
network, no API key.
> 📸 _Screenshot / demo GIF:_ `./web/screenshot.png` — record the [live app](https://didrod205.github.io/entropass/) generating a password and the strength bar reacting to options.
## Why it exists
- **AI can't do this.** A language model literally cannot produce
cryptographically secure randomness — its output is predictable. Secure
passwords must come from a CSPRNG, generated correctly. That's a precise,
security-critical job for a small, audited tool.
- **Bias-free by construction.** Rejection sampling removes the modulo bias that
plagues naive generators, so every character is equally likely.
- **It quantifies strength.** Not a vague "weak/strong" guess — real entropy in
bits and an estimated crack time, so "looks complex" stops fooling anyone.
## Who it's for
**Everyone needs passwords:** developers (generate secrets/tokens/test fixtures
without a heavy dep), designers, marketers, ops and creators making accounts
daily, and anyone who wants a trustworthy, **offline** generator.
## Install
**No install —** just open the **[web app](https://didrod205.github.io/entropass/)**.
**Command line:**
```bash
npx entropass -l 24 --symbols # a strong 24-char password
npx entropass --pronounceable # easier to type/remember
npx entropass strength "hunter2" # rate an existing password
```
**Library:**
```bash
npm install entropass
```
Zero dependencies. ESM + CJS + TypeScript types. Runs in the browser, Node 20+, Deno and Bun.
## CLI
```bash
entropass [options] # generate (default: a strong 16-char password)
entropass strength # rate it (label + crack-time)
```
Options: `-l/--length`, `-n/--count`, `--symbols`, `--no-digits/uppercase/lowercase`,
`--no-ambiguous`, `--pronounceable`, `--pin`, `--bits`. Uses a cryptographic RNG;
nothing is transmitted.
## Usage
```ts
import { generate, generatePronounceable, generatePin, strength } from "entropass";
generate({ length: 20, symbols: true });
// { password: "…", entropyBits: 131.0, poolSize: 90 }
generate({ length: 16, symbols: false, excludeAmbiguous: true });
// no O/0, l/1/I … (easier to read & type)
generatePronounceable({ length: 14 }); // { password: "Kobiranuxe83", … } — typeable
generatePin(6); // { password: "402915", … }
strength("correct horse battery staple");
// { entropyBits: …, label: "Strong", poolSize: …, crackTime: { text: "centuries" } }
```
### Measure entropy & crack time
```ts
import { entropyBits, estimateCrackTime, strength } from "entropass";
entropyBits(94, 16); // 104.87 (length × log2(pool))
estimateCrackTime(80).text; // human-readable estimate
strength("Password123!").label; // honest assessment (patterns are discounted)
```
### Unbiased randomness primitives
```ts
import { randomInt, randomItem, shuffle } from "entropass";
randomInt(6); // 0–5, uniform, no modulo bias
randomItem(["a", "b", "c"]);
shuffle([1, 2, 3, 4, 5]); // secure Fisher–Yates
```
## API
| Function | Description |
| -------- | ----------- |
| `generate(options?)` | Random password; returns `{ password, entropyBits, poolSize }`. |
| `generatePronounceable(options?)` | Typeable consonant/vowel password. |
| `generatePin(length?)` | Numeric PIN. |
| `strength(password, gps?)` | Estimate entropy, label & crack time of any password. |
| `entropyBits(poolSize, length)` | Entropy for a uniform secret. |
| `estimateCrackTime(bits, gps?)` | Average crack time at `gps` guesses/sec. |
| `randomInt` / `randomItem` / `shuffle` | Bias-free CSPRNG primitives. |
`GenerateOptions`: `length`, `lowercase`, `uppercase`, `digits`, `symbols`,
`excludeAmbiguous`, `excludeChars`, `requireEachClass`.
## FAQ
**Is my password sent anywhere?**
No. Generation and strength checks happen entirely on your device — no server, no
telemetry, works offline. (That's the whole point.)
**What's "modulo bias" and why should I care?**
If you map a random 32-bit number into an alphabet with `value % length`, and the
alphabet size doesn't divide 2³², lower indices get chosen slightly more often.
entropass rejects out-of-range samples so every character is equally likely.
**How is crack time estimated?**
Average guesses (half the keyspace) divided by an attacker's rate (default 10
billion guesses/sec, a fast offline attack). It's an estimate to build intuition,
not a guarantee.
**How accurate is the strength meter for my own password?**
It estimates the character pool and discounts obvious repeats and sequences
(`aaaa`, `abc123`). It's a lightweight, dependency-free model — directional, not a
substitute for not reusing passwords and using a manager.
**Should I still use a password manager?**
Yes! entropass generates strong secrets; a manager stores them. Great together.
## Contributing
Contributions welcome! See [CONTRIBUTING.md](./CONTRIBUTING.md) and the
[Code of Conduct](./CODE_OF_CONDUCT.md).
```bash
git clone https://github.com/didrod205/entropass.git
cd entropass
npm install
npm test # run the suite
npm run dev # run the web app locally
```
## 💖 Sponsor
entropass is free, MIT-licensed, and built in spare time. If it gave you
passwords you can trust, please consider supporting it:
- ⭐ **Star this repo** — free, and it genuinely helps others find it.
- 🍋 **[Sponsor via Lemon Squeezy](https://elab-studio.lemonsqueezy.com/checkout/buy/5d059b89-51d0-456b-b33a-ed56994f7010)** — one-time or recurring support.
**Where your support goes:** a wordlist-based passphrase mode (EFF diceware),
a stronger pattern-aware strength model, a CLI, a browser-extension build,
keeping the free web app online, and fast issue responses.
## License
[MIT](./LICENSE) © entropass contributors