Ultra-Secure Password Generator with Dual Physical Entropy Collection
gensecpass3 generates cryptographically strong passwords by combining entropy from two independent physical sources: keyboard input and mouse movement. This dual-channel approach ensures true randomness that cannot be predicted or replicated.
- Dual Entropy Sources: Combines keyboard chaos + mouse movement for maximum unpredictability
- Timing-Based Entropy: Captures nanosecond-precision timing between events
- Protected Memory: Uses memguard to prevent password exposure in RAM
- Age Encryption: Saves passwords encrypted with age (scrypt)
- Secure Wipe: DoD 5220.22-M compliant 7-pass file destruction
- Zero Dependencies at Runtime: Single static binary
gensecpass3 addresses multiple threat vectors:
| Threat | Mitigation |
|---|---|
| Weak PRNG | Physical entropy from human input |
| Memory Forensics | memguard protected buffers with automatic wiping |
| Cold Boot Attacks | Immediate memory destruction on exit |
| File Recovery | DoD 5220.22-M secure wipe |
# Clone repository
git clone https://github.com/yourusername/gensecpass3.git
cd gensecpass3
# Build
go mod tidy
go build -o gensecpass3 .
# Optional: Install system-wide
sudo mv gensecpass3 /usr/local/bin/- Go 1.21+
- filippo.io/age - Modern encryption
- github.com/awnumar/memguard - Secure memory
- github.com/gdamore/tcell/v2 - Terminal UI for mouse capture
- golang.org/x/term - Terminal raw mode
./gensecpass3This launches the dual-challenge entropy collection:
- Challenge 1 - Keyboard Chaos: Type randomly and chaotically
- Challenge 2 - Mouse Chaos: Move mouse in random patterns, click, scroll
After collection, choose to save encrypted or display once.
# Custom password length (default: 16, range: 8-256)
./gensecpass3 -l 32
# Custom output file (default: password.txt.age)
./gensecpass3 -o mypass.age
# Verbose mode (shows entropy statistics)
./gensecpass3 -v
# Show version
./gensecpass3 -version./gensecpass3 -decrypt -encfile password.txt.agePermanently destroy a file using DoD 5220.22-M standard (7-pass overwrite):
./gensecpass3 -wipe -wipefile sensitive.txt- Captures raw keystrokes in terminal raw mode
- Records nanosecond timestamps between keypresses
- Adds both character value and timing delta to entropy pool
- Target: 512 bytes (~57 keystrokes with timing)
- Uses tcell for cross-platform mouse capture
- Collects X/Y coordinates of every movement
- Records click events (left, right, middle)
- Captures scroll wheel events
- Tracks timing between all events
- Visual feedback with progress bar
- Target: 512 bytes
Final Seed = SHA256(
SHA256(keyboard_data + keyboard_timings) ||
SHA256(mouse_data + mouse_timings) ||
crypto/rand(32 bytes)
)
The combination of:
- Human keyboard input (unpredictable characters + timing)
- Human mouse input (unpredictable coordinates + timing)
- System CSPRNG (crypto/rand)
Creates a seed that is computationally infeasible to predict or reproduce.
Generated passwords use 94 printable ASCII characters:
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789
!@#$%^&*()-_=+[]{}|;:,.<>?/
Entropy per character: ~6.55 bits
| Length | Entropy |
|---|---|
| 16 | ~104 bits |
| 24 | ~157 bits |
| 32 | ~209 bits |
| 64 | ~419 bits |
- Run in a clean terminal without screen recording
- Use on a trusted, non-compromised system
- Don't run over SSH (timing data becomes network-observable)
- Ensure no keyloggers are present
- Use the encrypted save option for sensitive passwords
This tool does NOT protect against:
- Compromised operating system kernel
- Hardware keyloggers
- Malicious terminal emulators
- Screen capture malware
- Physical observation during generation
MIT License - See LICENSE for details.
Contributions welcome! Please ensure any PRs maintain the security-first approach:
- No reduction in entropy quality
- No logging of sensitive data
- Proper memory handling for all secrets
- Maintain offline-first design
Remember: A password generator is only as secure as the environment it runs in. Use responsibly.