79th Unit - Password Generator

Random config

Length 24

Uppercase A-Z min

Lowercase a-z min

Digits 0-9 min

Symbols min

Exclude I l 1 O 0

Custom symbol set

Excluded symbols are never used. Useful when the target system rejects certain characters (SharePoint hates ;, MySQL hates ", router UIs hate #, etc.).

Pattern rejection

Reject 3+ consecutive identical chars Reject 3+ sequential chars (abc, 123) Reject keyboard runs (qwerty, asdfgh, zxcv) Reject common dictionary substrings (password, admin...)

Rejected candidates are re-rolled automatically. Worst-case 200 attempts before giving up.

Passphrase config (EFF diceware wordlist, 7776 words)

Word count 6

Separator Capitalization Append 4-digit number Append a symbol

6 words ≈ 77 bits • 8 words ≈ 103 bits • 10 words ≈ 129 bits (AES-128 equivalent) • 12 words ≈ 155 bits

Encoded bytes config

Byte length 32

Format

32 bytes = 256 bits. Useful for API keys, token secrets, TOTP seeds (base32), Bitwarden sends.

Multiple formats from one seed

Generate once, show in every format (hex + base64 + base64url + base32 + UUID)

Same random bytes, encoded every way. Useful when you do not know which format the target system wants, or when you want to print a seed you can recover into any form later.

PIN config (digits only)

Digits 6

No 3+ consecutive identical digits No 3+ sequential runs (123, 654)

4 digits ≈ 13 bits • 6 ≈ 20 bits • 10 ≈ 33 bits. PINs are inherently weak. Use only where a real password will not fit (phone unlock, SIM, door code).

Template config

Pattern ({N} = N random chars from selected alphabet)

Uppercase Lowercase Digits Symbols

Examples: sk-{32} (OpenAI-style key) • 79U_{16}-{16} (prefixed two-part) • {8}-{8}-{8}-{8} (license-key style). Literal text stays. Only {N} placeholders are filled with secure randomness.

BIP39 seed phrase

Word count

Generated per BIP-0039 with SHA-256 checksum. Valid for Bitcoin / Ethereum / Monero / any BIP39-compliant wallet. Restoring this phrase into a wallet gives access to any funds derived from it. Treat like a root key.

TOTP secret generator

Issuer (service name) Account (username / email) Secret bytes

Output is a base32 secret + otpauth:// URI. Click the QR button above to show it as a scannable code for Google Authenticator, Microsoft Authenticator, Aegis, 2FAS, etc.

Deterministic (master + site)

Security tradeoff Generates a password deterministically from a master + a site identifier via PBKDF2-SHA256 (250,000 iterations). You can regenerate the same password anywhere without storing it. Counterpart: if your master leaks, every site's password leaks with it. Only use this if you understand that tradeoff. A password manager is generally safer.

Master password Site / context Counter (bump to rotate) Output length 24

Output uses upper + lower + digits + symbols. Changing counter or site produces a completely different password. No data is stored anywhere.

Crack time estimates (average case)

Online (throttled, 100/s)	-	-
Offline CPU (1 B/s)	-	-
Offline GPU farm (1 T/s)	-	-
Nation-state ASIC (1 Q/s)	-	-

Session history (in-memory only, last 10)

no history yet

Settings

Auto-clear password on window blur Default-mask new passwords Record generated passwords to session history Strict offline (refuse to generate when network is up)

Verified capabilities

Capability	Evidence
Cryptographic RNG (OS CSPRNG)	crypto.getRandomValues, rejection sampling, no modulo bias
NIST SP 800-22 statistical suite	9 tests passed at 99.9% confidence (monobit, block-freq, runs, longest-run, serial 2- and 3-tuple, Shannon, serial correlation, ApEn)
BIP-0039 seed phrase compliance	20/20 external phrase verification via reference Python implementation
RFC 4648 base32 compliance	7/7 canonical test vectors match
RFC 4122 UUID v4 format	Version bit = 4, variant bit = 8 or 9-b
RFC 6238 TOTP URI format	Spec-compliant otpauth:// with percent-encoded unicode + special chars
SHA-256 implementation	Matches "abc" canonical vector ba7816bf...f20015ad
Uniqueness at scale	100,000 generations, 0 collisions, 9,119 gens/sec
Weak-password resistance	50,000 x 8 weak substrings (password, qwerty, admin, ...), 0 hits
Adversarial fuzz	20 payloads (XSS, SQL, path traversal, null bytes, prototype pollution), 0 errors, 0 pollution
Zero client-side storage	localStorage / sessionStorage / cookies all empty
Zero third-party network	Only same-origin fetches (self-hash + .sig). CSP blocks everything else
CSP posture	default-src 'none'; connect-src 'self'; no external scripts / images / iframes / forms
Signed release	Ed25519, fingerprint 00b95edc...796ceb44 (full key in release-key section below)
TLS transport (hosted)	Let's Encrypt + HSTS 2y preload + COOP/COEP/CORP same-origin

Full audit report: 12 - Gauntlet/tools/Password Generator - Security Audit.md. Re-run instructions included.

Entropy reference

Entropy	Classification	Defeats
< 50 bits	Weak	Online brute force only
50 - 75 bits	OK	Online + modest offline
75 - 100 bits	Strong	Most offline attacks
100 - 128 bits	Military grade	Well-funded offline attacks (STIG / DoD baseline)
≥ 128 bits	AES-128 equivalent	Any classical adversary; matches symmetric cipher strength
≥ 256 bits	Post-quantum hedge	AES-256 equivalent; beyond any practical attack

Password Generator offline

Generated

Random config

Passphrase config (EFF diceware wordlist, 7776 words)

Encoded bytes config

PIN config (digits only)

Template config

BIP39 seed phrase

TOTP secret generator

Deterministic (master + site)

Crack time estimates (average case)

Session history (in-memory only, last 10)

Batch

Settings

Verified capabilities

Entropy reference

Generated mask group

Random config

Passphrase config (EFF diceware wordlist, 7776 words)

Encoded bytes config

PIN config (digits only)

Template config

BIP39 seed phrase

TOTP secret generator

Deterministic (master + site)

Crack time estimates (average case)

Session history (in-memory only, last 10) clear

Batch

Settings

Verified capabilities

Entropy reference

Scan

Generated

Session history (in-memory only, last 10)