Generate secure random passwords from Alfred. Uses /dev/urandom
as source of entropy.
- Passwords can be generated based on strength or length.
- Offers multiple generators, including based on real words and pronounceable pseudo-words generated with Markov chains.
- Shows the strength of each generated password.
- More convenient that 1Password or the like.
- More dependable than online generators.
- Copies passwords as "concealed" data by default (so clipboard managers don't record them).
- Installation
- Usage
- Password strength
- Configuration
- Built-in generators
- Custom generators
- Licensing, thanks
- Changelog
Download from the GitHub releases or Packal and double-click the downloaded file to install.
pwgen [<strength>]
— Generate passwords of specified strength. Default is3
(96 bits of entropy). See Password strength for details.↩
— Copy the selected password to the clipboard.⌘↩
— Copy the selected password to the clipboard and paste it to the frontmost application.⌥↩
or⌘C
— Copy the selected password to the clipboard as public data^↩
— Copy the selected password to the clipboard as public data and paste it to the frontmost application.⌘+L
— Show the selected password in Alfred's Large Text window.
pwlen [<length>]
— Generate passwords of specified length. Default is20
. See Password strength for details.↩
— Copy the selected password to the clipboard.⌘↩
— Copy the selected password to the clipboard and paste it to the frontmost application.⌥↩
or⌘C
— Copy the selected password to the clipboard as public data^↩
— Copy the selected password to the clipboard as public data and paste it to the frontmost application.⌘+L
— Show the selected password in Alfred's Large Text window.
pwconf [<query>]
— View and edit workflow settings. See Configuration for details.
Note: Word-based generators may provide passwords that are slightly longer than <length>
.
Passwords can be specified either by strength or length. The default strength is 3
, which is at least 96 bits of entropy (each level is 32 bits). You may also specify the desired number of bits by appending b
to your input, e.g. pwgen 128b
will provide at least 128 bits of entropy.
Default length is 20 characters, which can provide ~50 to ~130 bits of entropy depending on generator.
Each password has its strength in the result subtitle. This is shown either as a bar or in bits of entropy, depending on your settings. Each full block in the bar represents 32 bits of entropy. The icon shown next to each password also reflects its strength:
Icon | Strength (bits of entropy) |
---|---|
Strength >= 96b | |
Strength > 64b and < 96b | |
Strength <= 64b |
"Entropy" is cryptographese for "randomness".
That depends on what you're using it for and how long you want it to remain secure. As of 2015, custom password-guessing hardware (built from standard PC components) can guess >45 billion passwords per second.
The average number of guesses required to crack a password with n bits of entropy is 2n-1, so 2,147,483,647 guesses for a 32-bit password. Or 0.048 seconds with the above hardware.
Fortunately, every added bit doubles the amount of entropy, so 64 bits is a good deal stronger: 6.5 years on average to guess on the same hardware.
Level | Min. entropy | Av. time to guess * | Application |
---|---|---|---|
1 | 32 bits | 0.048 seconds | Stuff you want to be super easy to crack? |
2 | 64 bits | 6.5 years | Web accounts, WiFi passwords |
3 | 96 bits | 280 million years | Almost anything |
4 | 128 bits | billions of times the age of the universe | Toppest-secret stuff, e.g. encryption keys ** |
* = based on 45 billion guesses per second. ** = symmetric encryption keys. SSL certificates, for example, use asymmetric keys, which offer much less security per bit. A 1024-bit RSA key has roughly equivalent security to an 80-bit symmetric key.
The default password strength level of 3 (96 bits) provides very secure passwords.
The default password length of 20 characters provides reasonably to very secure passwords, depending on the generator.
By default, the strength of generated passwords is shown as a bar in the result subtitle. Each full block represents 32 bits of entropy, so 2 blocks represents a pretty secure password, 3 or more a very secure password.
You can have the precise number of bits displayed instead by toggling the "Strength Bar" setting in the Configuration (keyword pwconf
).
Passwords of the same length (or even the self-same password) generated using different techniques have different strengths because the strength is determined by the permutations in the algorithm and the password length, not the password itself.
For example, the single-digit password 1
has an entropy of 3.32 bits when generated by the Numeric algorithm because it is one of only 10 possible one-digit passwords. The same password generated by the ASCII algorithm has an entropy of 5.95 bits because it is one of 62 possible one-character passwords.
Of course, that's just in theory. A password generated by the German generator is theoretically more secure than the same password generated by the ASCII-only one because the former has more possible passwords of any given length. That only holds in practice if an attacker is also guessing passwords based on the German alphabet. If they're guessing based on ASCII, and the password only contains ASCII characters, the password is naturally as easily guessed as if it had been generated by the ASCII generator.
See Password strength on Wikipedia for more information.
Access the configuration options with the pwconf
keyword. You can use an optional query to filter the available options, e.g. use pwconf gen
to show only the available generators.
The following configuraton options are available:
Action this item to open this README in your browser.
The workflow checks for a new version once a day. If one is available, "An Update is Available" will be shown. Action this item to install the update.
If no update is available, "No Update is Available" will be shown. Action this item to force a check for an update.
The default strength for passwords generated with pwgen
. For strength n, passwords will have n*32 bits of entropy. Default is 3
, which should be proof against anything but the NSA. 4
will generate extremely secure passwords.
Action this item to enter a new default strength.
The default length in characters for passwords generated with pwlen
. The default of 20
provides passwords that are reasonably to very secure, depending on the generator.
Action this item to enter a new default length.
By default, password strength is indicated by a number of blocks. Each full block represents 32 bits of entropy, so 3 blocks is secure, 4 is very secure. Less that 3 blocks should be avoided.
Alternatively, strength can be shown as the number of bits of entropy.
Action this item to toggle the strength bar on/off.
All the available generators are listed below the other options.
Active generators have a checked green circle as their icon, inactive ones have an empty red circle icon.
Action a generator to toggle it on or off.
See below for details of how to add your own custom generators.
The workflow includes 10 built-in generators, of which 6 are active by default. You can activate/deactivate them in the Configuration.
Note: Word-based password generators return passwords with their component words joined by hyphens. These hyphens are not included in the calculation of the password strength, so removing them will leave you with a password of the stated strength.
These generators are active by default.
Generates passwords based on all ASCII characters, minus a few punctuation marks that can be hard to type, such as \`~ (backslash, backtick, tilde).
Generates passwords from ASCII letters and digits. No punctuation.
Generates passwords from ASCII letters and digits, excluding the easily-confused characters lO01 (lowercase L, uppercase O, the digits 1 and 0).
Generates digit-only passwords.
Generates pronounceable passwords based on nonsense words. Based on this Stack Overflow answer.
Generates passwords based on the words in /usr/share/dict/words
.
These generators are inactive by default. They can be turned on in the Configuration.
Generates semi-pronounceable passwords based on Markov chains and the start of A Tale of Two Cities.
Has slightly more entropy than the Pronounceable Nonsense generator, but the passwords aren't quite as pronounceable.
Generate passwords using hexadecimal characters (0-9, a-f).
Generate passwords using the German alphabet, digits and punctuation.
Generate passwords using the German alphabet and digits without punctuation.
Generates semi-pronounceable passwords based on Markov chains and the start of Buddenbrooks.
You can easily add your own custom password generators. These must be placed in the directory ~/Library/Application Support/Alfred 2/Workflow Data/net.deanishe.alfred-pwgen/generators/
. If you put your custom generators in the workflow itself, they will be deleted when the workflow is updated. You can quickly open up the above directory by entering the Alfred-Workflow magic argument workflow:opendata
as your query, e.g. pwconf workflow:opendata
.
Note: Your generators will be deactivated by default. You must manually activate them using pwconf
to use them.
Modules containing your custom generators must be named gen_XXX.py
.
Only files matching the pattern gen_*.py
will be imported.
Your generator classes must subclass generators.PassGenBase
or generators.WordGenBase
, which are abstract base classes, and must have id
, name
, description
and data
properties. These have the following purposes:
Property | Purpose |
---|---|
id |
Short name for your generator; used internally. |
name |
The human-readable name; shown in the configuration. |
description |
The longer description shown beneath the generator name in the configuration. |
data |
Return a sequence of the characters to generate passwords from. |
The data
property is used by the entropy
property and password()
method on the PassGenBase
base class.
PassGenBase
is designed for character-based passwords, i.e. data
returns a string or other sequence of single characters. WordGenBase
is for word-based passwords, i.e. data
returns a sequence of multi-character strings. The main difference is in the implementation of length-based passwords.
Important: data
must return a sequence (string
, list
or tuple
) not a generator or set
. If random.choice()
chokes on it, it's no good.
A generator to produce German passwords (i.e. possibly including letters like 'ü' or 'ä'):
import string
from generators import PassGenBase, punctuation
# punctuation is `string.punctuation` minus a few
# problematic/hard-to-type symbols (e.g. backslash)
class GermanGenerator(PassGenBase):
"""Generate passwords containing umlauts."""
@property
def id(self):
return 'deutsch'
@property
def name(self):
return 'German'
@property
def description(self):
return 'German alphabet, digits and punctuation'
@property
def data(self):
return string.ascii_letters + string.digits + punctuation + 'üäöÜÄÖß'
A word-based generator to produce Swedish passwords might look like this:
from generators import WordGenBase
class BorkGenerator(WordGenBase):
"""Bork-bork-bork"""
@property
def id(self):
return 'bork'
@property
def name(self):
return 'Bork'
@property
def description(self):
return 'Borked password generator'
@property
def data(self):
return ['bork', 'bork', 'bork']
This workflow is released under the MIT Licence, which is included as the LICENCE file.
The code for the Markov chain comes from a SimonSapin snippet, and the gibberish-generating code is from a Greg Haskins StackOverflow answer.
It is heavily based on the Alfred-Workflow library, also released under the MIT Licence.
The workflow icon is from the Elusive Icons webfont (licence).
The other icons are based on the Font Awesome webfont (licence).
Initial release
- Replace default Markov pronounceable generator with gibberish
- Rename Dictionary generator module
- Add licence and licensing info
- Improve usage description in README
- Add generator descriptions to README
- Add strength bar toggle to configuration
- Improve filtering in configuration
- Add separate base class for word-based generators
- Add custom (user) generator support
- Refactor built-in generators
- Change
id_
property of generators toid
- Icons reflect password strength
- Alfred 3 only
- Option to turn notifications off #3
- Fix syntax error #5
- Fix paste #7
- Fix hanging background processes #4
- New icons
- Default to "concealed" copy so clipboard managers will ignore the passwords
- Update dependencies
- Update dependencies
- Add Alfred 4 support