A secure, deterministic password generator with both CLI and interactive modes. Generate high-quality passwords using a master passphrase.
- Dual Mode: CLI for automation, interactive terminal UI when run without arguments
- Deterministic Generation: Same master passphrase + site = same password
- High Entropy: Uses ChaCha20 PRNG seeded with SHA-256 hash
- Customizable Character Sets: Lowercase, uppercase, digits, special characters
- Ambiguous Character Filtering: Optionally exclude confusing characters (0/O, 1/l/I)
- Pronounceable Passwords: Generate memorable, pronounceable passwords
- Entropy Calculation: Shows password strength in bits
- Site-Specific Passwords: Generate unique passwords for each service
cargo install passgengit clone https://github.com/RustSandbox/passgen.git
cd passgen
cargo build --releaseThe binary will be available at ./target/release/passgen.
Simply run without arguments:
./target/release/passgenThe interactive mode will guide you through:
- Site/service name (optional)
- Password type (random or pronounceable)
- Password length
- Complexity level or custom character sets
- Number of passwords to generate
- Master passphrase (hidden input)
Basic usage with default settings (20 chars, all character types):
./target/release/passgen
# Will prompt for master passphrase securelyGenerate password for a specific website:
./target/release/passgen --site "github.com" -m "master"Custom length and character sets:
./target/release/passgen -l 32 --site "aws.com" -s falseGenerate pronounceable password:
./target/release/passgen --pronounceable -l 16Multiple passwords:
./target/release/passgen -c 5 --site "work-accounts"-l, --length <N>: Password length (default: 20, minimum: 12)-u, --uppercase: Include uppercase letters (default: true)-d, --digits: Include digits (default: true)-s, --special: Include special characters (default: true)--allow-ambiguous: Allow ambiguous characters (default: false)-c, --count <N>: Number of passwords to generate (default: 1)--site <STRING>: Site/service name for unique passwords--pronounceable: Generate pronounceable passwords--enforce-all-types: Ensure at least one char from each enabled set (default: true)--master: Removed for security - always prompts interactively
- Cryptographically Secure: Uses ChaCha20 PRNG with Argon2id key derivation
- No Password Storage: Passwords are generated on-demand
- Master Passphrase Protection: Never stored, only used for generation
- Secure Key Derivation: Argon2id with 64MB memory cost
- Memory Safety: Sensitive data zeroized after use
- High Default Entropy: 20 chars with 84+ character set = 127+ bits
- Fisher-Yates Shuffle: Ensures uniform distribution
- Version String: Includes version in hash for consistency
- Use a strong, memorable master passphrase
- Use different site names for different services
- Keep password length ≥ 16 characters
- Enable all character types for maximum entropy
- Write down site names if needed (but never the master passphrase)
# Interactive mode for first-time setup
./target/release/passgen
# CLI mode for quick generation
./target/release/passgen --site "github.com" -l 24
./target/release/passgen --site "aws.amazon.com" -l 28
./target/release/passgen --site "gmail.com" -l 20
# Pronounceable password for verbal sharing
./target/release/passgen --pronounceable -l 16 --site "wifi"Contributions are welcome! Please feel free to submit a Pull Request.
- Fork the repository
- Create your feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add some amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
This project is licensed under the MIT License - see the LICENSE file for details.
See SECURITY.md for security policy and vulnerability reporting.
- Master passphrase never accepted via command line
- Argon2id key derivation (64MB, 3 iterations)
- Automatic memory zeroization
- Input validation and bounds checking
- No password storage
- Uses ChaCha20 PRNG for cryptographically secure random number generation
- Argon2id for secure key derivation
- Built with Rust for memory safety and performance
- Zeroize crate for secure memory handling