Secure Password Generation
Not all random is created equal. Here's how to generate passwords properly.
Bad: Math.random()
// ❌ NEVER use Math.random() for security
function badPassword(length) {
const chars = 'abcdefghijklmnopqrstuvwxyz0123456789';
let result = '';
for (let i = 0; i < length; i++) {
result += chars[Math.floor(Math.random() chars.length)];
}
return result;
}
// Why it's bad:
// - Predictable (seeded by timestamp)
// - Not cryptographically secure
// - Can be reverse-engineered
Good: Web Crypto API
// ✅ Browser-safe secure random
function generatePassword(length = 16) {
const charset = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&';
const randomValues = new Uint32Array(length);
crypto.getRandomValues(randomValues);
return Array.from(randomValues)
.map(v => charset[v % charset.length])
.join('');
}Good: Node.js crypto
import crypto from 'crypto';
// ✅ Node.js secure random
function generatePassword(length = 16) {
const charset = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&';
const bytes = crypto.randomBytes(length);
return Array.from(bytes)
.map(b => charset[b % charset.length])
.join('');
}
// Or use randomInt for unbiased selection
function generatePasswordUnbiased(length = 16) {
const charset = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&';
let password = '';
for (let i = 0; i < length; i++) {
password += charset[crypto.randomInt(charset.length)];
}
return password;
}
Passphrase Generation
const wordlist = ['correct', 'horse', 'battery', 'staple', ...]; // Use EFF wordlist
function generatePassphrase(wordCount = 4) {
const bytes = crypto.randomBytes(wordCount 2);
const words = [];
for (let i = 0; i < wordCount; i++) {
const index = bytes.readUInt16BE(i 2) % wordlist.length;
words.push(wordlist[index]);
}
return words.join('-');
}
// Output: "correct-horse-battery-staple"