Back to Password Generator

How Nodeblue Password Generator works

This page starts with plain language and gives technical detail where it helps. The focus is simple: local generation, clear trust boundaries, and controls that scale from everyday use to strict requirements.

The short version: generation happens in your browser, randomness comes from crypto.getRandomValues(), and shared URLs contain settings only, never generated passwords.

At a glance

Local by design

Passwords and passphrases are generated in-browser. The app does not send generated values to a server.

Three generation modes

Use Random mode, Passphrase mode, or the Builder for custom patterns and restrictive site rules.

Shareable configuration

URLs store mode and settings so presets can be bookmarked or shared. Generated output is not encoded in links.

Auditable behavior

No external scripts or runtime frameworks. Logic is readable and intentionally straightforward.

Choose your depth

Quick understanding

Read the four cards above and the flow below to understand what the generator does and what stays private.

Technical understanding

Open the deep-dive sections for exact ranges, encoding details, and constraints used by each mode.

Generation flow

Each step starts with plain language. Expand technical notes only when you want the implementation-level detail.

1

Choose mode

You
Pick Random, Passphrase, or Builder and adjust options.
Browser
Validates inputs and applies config state locally.
Result
The UI is configured before any generation is attempted.
Technical details

Random length supports 4-128 characters. Passphrase mode supports 3-10 words with optional length constraints. Builder mode assembles output from ordered pill tokens.

2

Generate

You
Click Generate or regenerate from multi-option view.
Browser
Uses cryptographic randomness to select words, characters, separators, and optional modifiers.
Result
A password or passphrase is produced fully in your tab.
Technical details

Randomness uses crypto.getRandomValues() with rejection sampling to avoid modulo bias. Random mode can enforce per-set inclusion and retry constraint checks before fallback output.

3

Assess strength

You
Review entropy, crack-time estimate, and strength label.
Browser
Calculates entropy from observed character pools or passphrase settings.
Result
You can tune length and composition before copying.
Technical details

Strength labels map to thresholds: Basic (<40 bits), Good (<64), Strong (<100), Excellent (100+). Crack-time estimates use a conservative high-speed attack baseline for context.

4

Use or share setup

You
Copy the generated value or share the settings link.
Browser
Encodes configuration into the URL hash and keeps history in local in-memory state.
Result
Shared links reproduce settings, not generated secrets.
Technical details

State is serialized into a compact base64url hash format, with optional builder recipe data. Password history is capped to the current session and not persisted to a backend.

Deep dive (expand as needed)

Random mode details

Random mode combines enabled sets (uppercase, lowercase, numbers, symbols, emojis), applies optional exclusion filters, and can require at least one character from each selected set.

Optional pattern checks block consecutive duplicates and simple sequences where possible, with bounded retry attempts to avoid stalls.

Passphrase mode details

Passphrase mode draws from a local dictionary and supports word count or optional target length ranges, plus controls for separators, casing, numbers, symbols, emojis, and light leetspeak transforms.

The dictionary file is lazy-loaded so initial page load stays fast. The browser verifies that file with a pinned integrity hash (SRI) before execution, which helps detect asset-level tampering when the page itself remains trusted.

Entropy uses dictionary metadata when available, with a safe fallback to the EFF Diceware baseline when metadata is unavailable.

Builder mode details

Builder mode creates passwords from ordered pill tokens: word, number, symbol, character, separator, and literal text. Each token has its own options, and output is generated token-by-token.

This is useful for systems with exact format rules that generic random generation cannot easily satisfy.

URL encoding and trust boundaries

Links encode settings in the URL hash, not generated passwords. Hash-based state allows preset sharing without sending secrets to a server.

This tool cannot protect against endpoint compromise such as malware, keyloggers, clipboard leaks, or phishing pages. Treat generated credentials with the same operational care as any secret.

Common questions

Does Nodeblue receive my passwords?

No. Generated passwords and passphrases stay in your browser tab.

What can I safely share?

Share setting URLs for reproducible generation profiles. Do not treat shared settings as shared secrets.

Why are there three modes?

Random mode is fast and general, Passphrase is memorable, and Builder handles strict or unusual format requirements.

Is this an account-based service?

No accounts, no sign-ups, and no analytics scripts. It is a direct-use tool.

Development Approach

This product was built with coding AI assistants as development tools, not as a replacement for engineering judgement. Product direction, security decisions, and quality standards were set and reviewed by Ben Cooper.

The goal is deliberate execution over speed: practical usability, clear trust boundaries, and implementation choices that are understandable and auditable.

Privacy & Terms

No tracking, no analytics, no account data. Standard infrastructure logs may include limited technical metadata for reliability and abuse prevention. This tool is provided as-is. Read the full terms.