Generate random password string with requirements in javascript

Question

I want to generate a random string that has to have 5 letters from a-z and 3 numbers.

How can I do this with JavaScript?

I've got the following script, but it doesn't meet my requirements.

        var chars = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
        var string_length = 8;
        var randomstring = '';
        for (var i=0; i<string_length; i++) {
            var rnum = Math.floor(Math.random() * chars.length);
            randomstring += chars.substring(rnum,rnum+1);
        }

If it meets your requirement, what's the question then? Also, your forced password requirement is a bad idea. — Rob W, Mar 15 '12 at 12:22
`new Array(12).fill().map(() => String.fromCharCode(Math.random()*86+40)).join("")` Nifty one liner to produce a 12 char password with special chars upper lower numbers in a very lightweight approach — Tofandel, Oct 25 '19 at 21:36
@algo 8 characters are considered a weak password. An argument could be made that the "standard" length is shifting towards 16. Tho, obviously higher lengths "generally" equal increased security. — Nathan Martin, May 31 '22 at 02:55

Rob W · Accepted Answer · 2014-10-16T23:19:28.043

366

Forcing a fixed number of characters is a bad idea. It doesn't improve the quality of the password. Worse, it reduces the number of possible passwords, so that hacking by bruteforcing becomes easier.

To generate a random word consisting of alphanumeric characters, use:

var randomstring = Math.random().toString(36).slice(-8);

How does it work?

Math.random()                        // Generate random number, eg: 0.123456
             .toString(36)           // Convert  to base-36 : "0.4fzyo82mvyr"
                          .slice(-8);// Cut off last 8 characters : "yo82mvyr"

Documentation for the Number.prototype.toString and string.prototype.slice methods.

edited Oct 16 '14 at 23:19

answered Mar 15 '12 at 12:35

Rob W

328,606
78
779
666

8

I agree, but sometimes you dont get to decide ;) – ffffff01 Mar 15 '12 at 12:40
Could you please explain what's going on in your provided answer? Seems like a nifty trick! – MalSu Nov 23 '12 at 18:20
@zessx Which browser are you using? In FF32, I just checked 10.000.000 and got only 18 duplicates. For your numbers it's basically 0. – user562529 Nov 13 '14 at 19:17
in Chrome, `.toString(36)` gives a base-36 number with 16 fractional digits, but Math.random() does not give enough possibilities to fill this space, so taking the least significant digits results in a reduced set of available strings. Taking the most significant digits is a better way to do this. [Compare here (use Chrome)](http://jsfiddle.net/dbbfmfdL/) – Luke Dec 04 '14 at 03:58
64

DO NOT USE THIS: Since the number is converted from binary to decimal, and there is not enough bits to "fill up" the full decimal space, the last digit will only be selected from a certain set of values. For example, on my computer, the last digit is only ever "i", "r", and "9". Use this instead: `Math.random().toString(36).substr(2, 8)` – Joel Jan 19 '16 at 12:59
3

To explain what 36 does: From [mozilla](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Number/toString) _The toString() method parses its first argument, and attempts to return a string representation in the specified radix (base). For radixes above 10, the letters of the alphabet indicate numerals greater than 9. For example, for hexadecimal numbers (base 16), a through f are used._ So according to this, using radix 36, we get a-z after 0-9. – Shishir Gupta Jun 01 '16 at 10:45
@RobW: How to include capital letters as well? – Shishir Gupta Jun 02 '16 at 10:18
2

@ShishirGupta `.toString` only accepts a base up to and including 36. This answer is meant as a one-liner for a non-cryptographic random string. If you want to have capitals as well, use `Math.random` (or `crypto.getRandomValues` if available) and map the result to a-z, A-Z, 0-9. For instance using saaj's answer below. – Rob W Jun 02 '16 at 10:37
If Math.random() gives `0.125` the result will be `"0.4i"` (invalid password - no 8 chars) – Kamil Kiełczewski Mar 25 '19 at 20:50
2

Not seeing how this addresses the OP requirement ***"5 letters from a-z and 3 numbers"***. I get it, the author thinks that's a bad idea... but it's the requirement nonetheless – mwag Jun 25 '19 at 16:54

saaj · Answer 2 · 2020-09-27T10:56:34.323

A little more maintainable and secure approach.

An update to expand on what I meant and how it works.

Secure. MDN is pretty explicit about the use of Math.random for anything related to security:

Math.random() does not provide cryptographically secure random numbers. Do not use them for anything related to security. Use the Web Crypto API instead, and more precisely the window.crypto.getRandomValues() method.

Looking at the can-i-use for getRandomValues in 2020 you probably don't need the msCrypto and Math.random fallback any more, unless you care about ancient browsers.
Maintainable is mostly about the RegExp _pattern as an easy way to define what character classes you allow in the password. But also about the 3 things where each does its job: defines a pattern, gets a random byte as securely as possible, provides a public API to combine the two.

var Password = {
 
  _pattern : /[a-zA-Z0-9_\-\+\.]/,
  
  
  _getRandomByte : function()
  {
    // http://caniuse.com/#feat=getrandomvalues
    if(window.crypto && window.crypto.getRandomValues) 
    {
      var result = new Uint8Array(1);
      window.crypto.getRandomValues(result);
      return result[0];
    }
    else if(window.msCrypto && window.msCrypto.getRandomValues) 
    {
      var result = new Uint8Array(1);
      window.msCrypto.getRandomValues(result);
      return result[0];
    }
    else
    {
      return Math.floor(Math.random() * 256);
    }
  },
  
  generate : function(length)
  {
    return Array.apply(null, {'length': length})
      .map(function()
      {
        var result;
        while(true) 
        {
          result = String.fromCharCode(this._getRandomByte());
          if(this._pattern.test(result))
          {
            return result;
          }
        }        
      }, this)
      .join('');  
  }    
    
};

<input type='text' id='p'/><br/>
<input type='button' value ='generate' onclick='document.getElementById("p").value = Password.generate(16)'>

Furthermore this doesn't always add a number to the generated code and the OP wants minimum 3. — qwertzman, Oct 18 '16 at 18:15
Found a library that support window.crypto.getRandomValues and works in node.js as well https://github.com/bermi/password-generator — Eugene, Jan 26 '18 at 13:44
Just wanted to say I needed something to generate passwords in a pinch and this was perfect. Thank you! — Kyle K, Apr 17 '19 at 19:49
seems everyone who answered just made a random password gen lol. yours is pretty close if tweaked abit could actually more match the question, change `_pattern` to `_charset` and actually, add a `_pattern` match to determine the condition https://playcode.io/774196/ — Lawrence Cherone, May 28 '21 at 17:21

score 39 · Answer 3 · edited May 23 '17 at 12:18

Many answers (including the original of this one) don't address the letter- and number-count requirements of the OP. Below are two solutions: general (no min letters/numbers), and with rules.

General:

I believe this is better general solution than the above, because:

it's more secure than accepted/highest-voted answer, and also more versatile, because it supports any char set in a case-sensitive manner
it's more concise than other answers (for general solution, 3 lines max; can be one-liner)
it uses only native Javascript- no installation or other libs required

Note that

for this to work on IE, the Array.fill() prototype must be polyfilled
if available, better to use window.crypto.getRandomValues() instead of Math.random() (thanks @BenjaminH for pointing out)

Three-liner:

var pwdChars = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
var pwdLen = 10;
var randPassword = Array(pwdLen).fill(pwdChars).map(function(x) { return x[Math.floor(Math.random() * x.length)] }).join('');

Or, as one-liner:

var randPassword = Array(10).fill("0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz").map(function(x) { return x[Math.floor(Math.random() * x.length)] }).join('');

With Letter / Number Rules

Now, a variation on the above. This will generate three random strings from the given charsets (letter, number, either) and then scramble the result.

Please note the below uses sort() for illustrative purposes only. For production use, replace the below sort() function with a shuffle function such as Durstenfeld.

First, as a function:

function randPassword(letters, numbers, either) {
  var chars = [
   "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz", // letters
   "0123456789", // numbers
   "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" // either
  ];

  return [letters, numbers, either].map(function(len, i) {
    return Array(len).fill(chars[i]).map(function(x) {
      return x[Math.floor(Math.random() * x.length)];
    }).join('');
  }).concat().join('').split('').sort(function(){
    return 0.5-Math.random();
  }).join('')
}

// invoke like so: randPassword(5,3,2);

Same thing, as a 2-liner (admittedly, very long and ugly lines-- and won't be a 1-liner if you use a proper shuffle function. Not recommended but sometimes it's fun anyway) :

var chars = ["ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz","0123456789", "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"];
var randPwd = [5,3,2].map(function(len, i) { return Array(len).fill(chars[i]).map(function(x) { return x[Math.floor(Math.random() * x.length)] }).join('') }).concat().join('').split('').sort(function(){return 0.5-Math.random()}).join('');

Good answer, but the capital letter Y will never appear in any password you generate. — Ryan Shillington, Mar 31 '17 at 02:52
Thanks. I used the charset in the OP question but looks like it was flawed. Updated now. — mwag, Apr 01 '17 at 04:08
You say "it's more secure than accepted/highest-voted answer". Could you please elaborate on the reason? — BenjaminH, Apr 29 '17 at 15:03
Also the use of Math.random() can be predictable. So for generating passwords better use a function like window.crypto.getRandomValues. — BenjaminH, Apr 29 '17 at 15:04
The reason it is more secure is because it supports is a higher number of possible characters in the output than using toString(36). With a fixed output length (e.g. of 8), if you have a max of 36 chars to choose from, you have far fewer permutations than if you have 62 chars (as in the example) or better yet, the whole 95 printable (ascii) chars, or if using unicode, an even higher number of possibilities per byte. — mwag, May 01 '17 at 16:52
I agree window.crypto.getRandomValues is better. That improvement was not intended to be the focus of the answer, but no harm including a note that, where available, better to use it. It's been updated. Thanks — mwag, May 01 '17 at 16:53

Ninh Pham · Answer 4 · 2021-09-23T13:15:52.273

For someone who is looking for a simplest script. No while (true), no if/else, no declaration.

Base on mwag's answer, but this one uses crypto.getRandomValues, a stronger random than Math.random.

var generatePassword = (
  length = 20,
  wishlist = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz~!@-#$'
) =>
  Array.from(crypto.getRandomValues(new Uint32Array(length)))
    .map((x) => wishlist[x % wishlist.length])
    .join('')

console.log(generatePassword())

Bookmarklet

javascript:prompt("Random password:",((o=20,n="0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz~!@-#$")=>Array.from(crypto.getRandomValues(new Uint32Array(o))).map(o=>n[o%n.length]).join(""))())

Node.js

const crypto = require('crypto')

const generatePassword = (
  length = 20,
  wishlist = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz~!@-#$'
) =>
  Array.from(crypto.randomFillSync(new Uint32Array(length)))
    .map((x) => wishlist[x % wishlist.length])
    .join('')

console.log(generatePassword())

Python

#!/usr/bin/env python

import os


def rand(length: int) -> str:
    bytes = os.urandom(length)
    chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890-"
    cl = len(chars)
    rs = ''
    for i in bytes:
        rs += chars[i % cl]
    return rs


print(rand(18))

Go

See: https://stackoverflow.com/a/67035900/1099314

This is not giving consistently 20 length passwords, because of an undefined offset. The `+ 1` part is not necessary and can be removed. — bryc, Jul 07 '19 at 10:45
Useful and easy solution. Anyone looking to do this within NodeJS can simply replace `crypto.getRandomValues` with [crypto.randomFillSync](https://nodejs.org/docs/latest/api/crypto.html#crypto_crypto_randomfillsync_buffer_offset_size). — Rvy Pandey, May 08 '20 at 15:26

Ryan Shillington · Answer 5 · 2017-08-22T16:08:02.717

In case you need a password generated with at least 1 number, 1 upper case character, and 1 lower case character:

function generatePassword(passwordLength) {
  var numberChars = "0123456789";
  var upperChars = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
  var lowerChars = "abcdefghijklmnopqrstuvwxyz";
  var allChars = numberChars + upperChars + lowerChars;
  var randPasswordArray = Array(passwordLength);
  randPasswordArray[0] = numberChars;
  randPasswordArray[1] = upperChars;
  randPasswordArray[2] = lowerChars;
  randPasswordArray = randPasswordArray.fill(allChars, 3);
  return shuffleArray(randPasswordArray.map(function(x) { return x[Math.floor(Math.random() * x.length)] })).join('');
}

function shuffleArray(array) {
  for (var i = array.length - 1; i > 0; i--) {
    var j = Math.floor(Math.random() * (i + 1));
    var temp = array[i];
    array[i] = array[j];
    array[j] = temp;
  }
  return array;
}

alert(generatePassword(12));

Here's the fiddle if you want to play/test: http://jsfiddle.net/sJGW4/155/

Props to @mwag for giving me the start to create this.

You're missing lowercase `j` :P Otherwise, good stuff right here. Modified it a bit to meet my requirements though. — Igor Yavych, Aug 17 '17 at 22:11

dingo sky · Answer 6 · 2020-09-26T10:28:29.700

As @RobW notes, restricting the password to a fixed number of characters as proposed in the OP scheme is a bad idea. But worse, answers that propose code based on Math.random are, well, a really bad idea.

Let's start with the bad idea. The OP code is randomly selecting a string of 8 characters from a set of 62. Restricting the random string to 5 letters and 3 numbers means the resulting passwords will have, at best, 28.5 bits of entropy (as opposed to a potential of 47.6 bits if the distribution restriction of 5 letters and 3 numbers were removed). That's not very good. But in reality, the situation is even worse. The at best aspect of the code is destroyed by the use of Math.random as the means of generating entropy for the passwords. Math.random is a pseudo random number generator. Due to the deterministic nature of pseudo random number generators the entropy of the resulting passwords is really bad , rendering any such proposed solution a really bad idea. Assuming these passwords are being doled out to end users (o/w what's the point), an active adversary that receives such a password has very good chance of predicting future passwords doled out to other users, and that's probably not a good thing.

But back to the just bad idea. Assume a cryptographically strong pseudo random number generator is used instead of Math.random. Why would you restrict the passwords to 28.5 bits? As noted, that's not very good. Presumably the 5 letters, 3 numbers scheme is to assist users in managing randomly doled out passwords. But let's face it, you have to balance ease of use against value of use, and 28.5 bits of entropy isn't much value in defense against an active adversary.

But enough of the bad. Let's propose a path forward. I'll use the JavaScript EntropyString library which "efficiently generates cryptographically strong random strings of specified entropy from various character sets". Rather than the OP 62 characters, I'll use a character set with 32 characters chosen to reduce the use of easily confused characters or the formation of English words. And rather than the 5 letter, 3 number scheme (which has too little entropy), I'll proclaim the password will have 60 bits of entropy (this is the balance of ease versus value).

import { Entropy, charSet32 } from 'entropy-string'
const random = new Entropy({ bits: 60, charset: charset32 })
const string = random.string()

"Q7LfR8Jn7RDp"

Note the arguments to Entropy specify the desired bits of entropy as opposed to more commonly seen solutions to random string generation that specify passing in a string length (which is both misguided and typically underspecified, but that's another story).

The code snippet has been updated to the newer version of the library. There are also many examples in the library README and GitHub repo. — dingo sky, Sep 26 '20 at 10:29

Alec Sanger · Answer 7 · 2012-03-15T12:41:36.727

This isn't exactly optimized, but it should work.

var chars = "ABCDEFGHIJKLMNOPQRSTUVWXTZabcdefghiklmnopqrstuvwxyz";
var string_length = 8;
var randomstring = '';
var charCount = 0;
var numCount = 0;

for (var i=0; i<string_length; i++) {
    // If random bit is 0, there are less than 3 digits already saved, and there are not already 5 characters saved, generate a numeric value. 
    if((Math.floor(Math.random() * 2) == 0) && numCount < 3 || charCount >= 5) {
        var rnum = Math.floor(Math.random() * 10);
        randomstring += rnum;
        numCount += 1;
    } else {
        // If any of the above criteria fail, go ahead and generate an alpha character from the chars string
        var rnum = Math.floor(Math.random() * chars.length);
        randomstring += chars.substring(rnum,rnum+1);
        charCount += 1;
    }
}

alert(randomstring);

Here's a jsfiddle for you to test on: http://jsfiddle.net/sJGW4/3/

`chars.substring(rnum, rnum+1)` is just like `chars.charAt(rnum)` — Mad Echet, Apr 15 '14 at 15:02

score 6 · Answer 8 · edited Dec 12 '12 at 22:03

I have written a small one inspired from your answer:

(function(){g=function(){c='0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';p='';for(i=0;i<8;i++){p+=c.charAt(Math.floor(Math.random()*62));}return p;};p=g();while(!/[A-Z]/.test(p)||!/[0-9]/.test(p)||!/[a-z]/.test(p)){p=g();}return p;})()

This function returns the password and can be used in bookmarklet like:

javascript:alert(TheCodeOfTheFunction);

score 6 · Answer 9 · answered Oct 28 '20 at 12:37

Any password generated with Math.random() is EXTREMELY BAD.

This function uses the system time as a seed for the random number generator. Anyone who knows the time the password was generated can easily brute-force the password.

In almost all cases, this data is easily available - just take the registration_time column in a hacked database, and test out all the values generated by the Math.random() algorithm using the times from 15 to 0 minutes before.

A password generated with Math.random() is completely worthless because the time the password was first used is enough for cracking it.

score 4 · Answer 10 · answered May 09 '20 at 03:13

Ok so if I understand well you're trying to get a random string password which contains 5 letters and 3 numbers randomly positioned and so which has a length of 8 characters and you accept maj and min letters, you can do that with the following function:

function randPass(lettersLength,numbersLength) {
    var j, x, i;
    var result           = '';
    var letters       = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
    var numbers       = '0123456789';
    for (i = 0; i < lettersLength; i++ ) {
        result += letters.charAt(Math.floor(Math.random() * letters.length));
    }
    for (i = 0; i < numbersLength; i++ ) {
        result += numbers.charAt(Math.floor(Math.random() * numbers.length));
    }
    result = result.split("");
    for (i = result.length - 1; i > 0; i--) {
        j = Math.floor(Math.random() * (i + 1));
        x = result[i];
        result[i] = result[j];
        result[j] = x;
    }
    result = result.join("");
    return result
}

function randPass(lettersLength,numbersLength) {
    var j, x, i;
    var result           = '';
    var letters       = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
    var numbers       = '0123456789';
    for (i = 0; i < lettersLength; i++ ) {
        result += letters.charAt(Math.floor(Math.random() * letters.length));
    }
    for (i = 0; i < numbersLength; i++ ) {
        result += numbers.charAt(Math.floor(Math.random() * numbers.length));
    }
    result = result.split("");
    for (i = result.length - 1; i > 0; i--) {
        j = Math.floor(Math.random() * (i + 1));
        x = result[i];
        result[i] = result[j];
        result[j] = x;
    }
    result = result.join("");
    return result
}
console.log(randPass(5,3))

score 3 · Answer 11 · answered Mar 22 '17 at 11:38

I wouldn't recommend using a forced password as it restricts the User's Security but any way, there are a few ways of doing it -

Traditional JavaScript Method -

Math.random().toString(36).slice(-8);

Using Random String

Install random string:

npm install randomstring

Using it in App.js -

var randStr = require('randomstring');

var yourString = randStr.generate(8);

The Value of your password is being hold in the variable yourString.

Don't Use A Forced Password!

Forced Password can harm your security as all the passwords would be under the same character set, which might easily be breached!

Force != Enforce.. letting a user to enter 123456?.. In a secure system its actually needed to generate a password based upon a condition required by validation.. Without a conditional generation, the code could create invalid passwords, i.e >= 8 characters, at least 1 upper & lower case and a number or special character. Making sure users have strong passwords is not *restricting the user's security* — Lawrence Cherone, May 28 '21 at 17:31

score 3 · Answer 12 · answered Jan 25 '19 at 10:35

3

My Crypto based take on the problem. Using ES6 and omitting any browser feature checks. Any comments on security or performance?

const generatePassword = (
  passwordLength = 12,
  passwordChars = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz',
) =>
  [...window.crypto.getRandomValues(new Uint32Array(passwordLength))]
    .map(x => passwordChars[x % passwordChars.length])
    .join('');

answered Jan 25 '19 at 10:35

Rubinous

436
5
11

This works great. It's more readable than most of the other functions, which I prefer. – Gavin Apr 22 '21 at 09:20

Danny L. · Answer 13 · 2021-02-16T08:32:09.977

Based on @Ryan Shillington answer above you may find this enhancment helpfull too. Think this is more secured then what was requeted on the original request in the question above.

Password generated with at least 1 number, 1 upper case character, 1 lower case character and 1 Special character
Password length is dynamic

//Password generated with at least 1 number, 1 upper case character, 1 lower case character and 1 Special character
function generatePassword() 
{
      var passwordLength = randomIntFromInterval(10,20);    
      var numberChars = "0123456789";
      var upperChars = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
      var lowerChars = "abcdefghijklmnopqrstuvwxyz";
      var specialChars = "~!#$%&*-+|";
      var allChars = numberChars + upperChars + lowerChars + specialChars;
      var randPasswordArray = Array(passwordLength);
      randPasswordArray[0] = numberChars;
      randPasswordArray[1] = upperChars;
      randPasswordArray[2] = lowerChars;
      randPasswordArray[3] = specialChars;
      randPasswordArray = randPasswordArray.fill(allChars, 4);
      if(window.crypto && window.crypto.getRandomValues)
      {
          return shuffleArray(randPasswordArray.map(function(x) { return x[Math.floor(window.crypto.getRandomValues(new Uint32Array(1))[0] / (0xffffffff + 1) * x.length)] })).join('');  
      }
      else if(window.msCrypto && window.msCrypto.getRandomValues) 
      {
          return shuffleArray(randPasswordArray.map(function(x) { return x[Math.floor(window.msCrypto.getRandomValues(new Uint32Array(1))[0] / (0xffffffff + 1) * x.length)] })).join('');
      }else{
          return shuffleArray(randPasswordArray.map(function(x) { return x[Math.floor(Math.random() * x.length)] })).join('');
      }
      
    }

    function shuffleArray(array) 
    {
      for (var i = array.length - 1; i > 0; i--) {
        var j = Math.floor(Math.random() * (i + 1));
        var temp = array[i];
        array[i] = array[j];
        array[j] = temp;
    }
     
     return array;
}

//generate random number in the range (min and max included)
function randomIntFromInterval(min, max) {
      return Math.floor(Math.random() * (max - min + 1) + min);
}

<input type='text' id='p9'/>
<input type='button' value ='pass generator' onclick='document.getElementById("p9").value = generatePassword()'>

Jaime Neto · Answer 14 · 2021-01-05T12:52:27.667

Here's a way to create a flexible generator that allows you to add some rules:

function generatePassword(length, rules) {
    if (!length || length == undefined) {
        length = 8;
    }

    if (!rules || rules == undefined) {
        rules = [
            {chars: "abcdefghijklmnopqrstuvwxyz", min: 3},  // As least 3 lowercase letters
            {chars: "ABCDEFGHIJKLMNOPQRSTUVWXYZ", min: 2},  // At least 2 uppercase letters
            {chars: "0123456789", min: 2},                  // At least 2 digits
            {chars: "!@#$&*?|%+-_./:;=()[]{}", min: 1}      // At least 1 special char
        ];
    }

    var allChars = "", allMin = 0;
    rules.forEach(function(rule) {
        allChars += rule.chars;
        allMin += rule.min;
    });
    if (length < allMin) {
        length = allMin;
    }
    rules.push({chars: allChars, min: length - allMin});
    
    var pswd = "";
    rules.forEach(function(rule) {
        if (rule.min > 0) {
            pswd += shuffleString(rule.chars, rule.min);
        }
    });
    
    return shuffleString(pswd);
}

function shuffleString(str, maxlength) {
    var shuffledString = str.split('').sort(function(){return 0.5-Math.random()}).join('');
    if (maxlength > 0) {
        shuffledString = shuffledString.substr(0, maxlength);
    }
    return shuffledString;
}

var pswd = generatePassword(15, [
  {chars: "abcdefghijklmnopqrstuvwxyz", min: 4},  // As least 4 lowercase letters
  {chars: "ABCDEFGHIJKLMNOPQRSTUVWXYZ", min: 1},  // At least 1 uppercase letters
  {chars: "0123456789", min: 3},                  // At least 3 digits
  {chars: "!@#$&*?|%+-_./:;=()[]{}", min: 2}      // At least 2 special chars
]);

console.log(pswd, pswd.length);

score 2 · Answer 15 · answered Mar 15 '12 at 12:51

var letters = ['a','b','c','d','e','f','g','h','i','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z'];
    var numbers = [0,1,2,3,4,5,6,7,8,9];
    var randomstring = '';

        for(var i=0;i<5;i++){
            var rlet = Math.floor(Math.random()*letters.length);
            randomstring += letters[rlet];
        }
        for(var i=0;i<3;i++){
            var rnum = Math.floor(Math.random()*numbers.length);
            randomstring += numbers[rnum];
        }
     alert(randomstring);

socketpair · Answer 16 · 2016-08-05T17:30:51.900

1

And finally, without using floating point hacks:

function genpasswd(n) {
    // 36 ** 11 > Number.MAX_SAFE_INTEGER
    if (n > 10)
        throw new Error('Too big n for this function');
    var x = "0000000000" + Math.floor(Number.MAX_SAFE_INTEGER * Math.random()).toString(36);
    return x.slice(-n);
}

edited Aug 05 '16 at 17:30

answered Aug 05 '16 at 17:13

socketpair

1,844
16
14

Dusty · Answer 17 · 2018-08-11T16:03:41.797

1

Secure password with one upperCase char.

let once = false;

    let newPassword = Math.random().toString(36).substr(2, 8).split('').map((char) => {
                    if(!Number(char) && !once){
                        once = true;
                        return char.toUpperCase();
                    }
                    return char;
                }).join('');

    console.log(newPassword)

edited Aug 11 '18 at 16:03

answered Aug 10 '18 at 23:17

Dusty

346
4
14

score 1 · Answer 18 · edited Feb 15 '21 at 12:18

1

Try this, it works.

enishant/random_password.js

Download script to your javascript application and call the function, randomPassword()

edited Feb 15 '21 at 12:18

Shayan Shafiq

1
5
17
24

answered May 09 '19 at 15:16

Nishant

330
2
5
11

score 1 · Answer 19 · answered Mar 20 '20 at 10:11

Create a Password generator service called PassswordGeneratorService

import { Injectable } from '@angular/core';

@Injectable()
export class PasswordGeneratorService {

  generatePassword(length:number,upper:boolean,numbers:boolean,symbols:boolean) {
    const passwordLength = length || 12;
    const addUpper =  upper;
    const addNumbers =  numbers;
    const addSymbols =  symbols;

    const lowerCharacters = ['a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z'];
    const upperCharacters = ['A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z'];
    const numbers = ['0', '1', '2', '3', '4', '5', '6', '7', '8', '9'];
    const symbols = ['!', '?', '@'];

    const getRandom = array => array[Math.floor(Math.random() * array.length)];

    let finalCharacters = '';

    if (addUpper) {
      finalCharacters = finalCharacters.concat(getRandom(upperCharacters));
    }

    if (addNumbers) {
      finalCharacters = finalCharacters.concat(getRandom(numbers));
    }

    if (addSymbols) {
      finalCharacters = finalCharacters.concat(getRandom(symbols));
    }

    for (let i = 1; i < passwordLength - 3; i++) {
      finalCharacters = finalCharacters.concat(getRandom(lowerCharacters));
    }

    return  finalCharacters.split('').sort(() => 0.5 - Math.random()).join('');
  }
}

don't forget to add the service on the module your using

@NgModule({
  imports: [
    CommonModule,
    SharedModule,
    CommonModule,
    RouterModule.forChild(routes),
    FormsModule,
    ReactiveFormsModule,
    FlexLayoutModule,
    TranslateModule,
    ExistingUserDialogModule,
    UserDocumentsUploadDialogModule
  ],
  declarations: [
    UserListComponent,
    EditUserDialogComponent,
    UserEditorComponent
  ],
  entryComponents: [
    EditUserDialogComponent
  ],
  providers: [
    AuthService,
    PasswordGeneratorService
  ]
})
export class UsersModule {
}

On you controller add a method which calls the generate password method inside the service and set the result on the password field

  constructor(
     private passwordGenerator: PasswordGeneratorService,
    )
  get newPassword() {
    return this.password.get('newPassword');
  }
  generatePassword() {
    this.newPassword.setValue(this.passwordGenerator.generatePassword(8,true,true,true));
  }

i just stripped the function `generatePassword` and used it, no need for a whole class. thnx — Biskrem Muhammad, Jul 27 '20 at 14:53

score 1 · Answer 20 · answered Feb 22 '21 at 23:37

Generate a random password of length 8 to 32 characters with at least 1 lower case, 1 upper case, 1 number, 1 spl char (!@$&)

    function getRandomUpperCase() {
       return String.fromCharCode( Math.floor( Math.random() * 26 ) + 65 );
    }
    
    function getRandomLowerCase() {
       return String.fromCharCode( Math.floor( Math.random() * 26 ) + 97 );
    } 
    
    function getRandomNumber() {
       return String.fromCharCode( Math.floor( Math.random() * 10 ) + 48 );
    }
    
    function getRandomSymbol() {
        // const symbol = '!@#$%^&*(){}[]=<>/,.|~?';
        const symbol = '!@$&';
        return symbol[ Math.floor( Math.random() * symbol.length ) ];
    }
    
    const randomFunc = [ getRandomUpperCase, getRandomLowerCase, getRandomNumber, getRandomSymbol ];
    
    function getRandomFunc() {
        return randomFunc[Math.floor( Math.random() * Object.keys(randomFunc).length)];
    }
    
    function generatePassword() {
        let password = '';
        const passwordLength = Math.random() * (32 - 8) + 8;
        for( let i = 1; i <= passwordLength; i++ ) {
            password += getRandomFunc()();
        }
        //check with regex
        const regex = /^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]{8,32}$/
        if( !password.match(regex) ) {
            password = generatePassword();
        }
        return password;
    }
    
    console.log( generatePassword() );

score 0 · Answer 21 · answered Mar 30 '17 at 15:52

There is a random password string generator with selected length

let input = document.querySelector("textarea");
let button = document.querySelector("button");
let length = document.querySelector("input");

function generatePassword(n) 
{
 let pwd = "";

  while(!pwd || pwd.length < n)
  {
   pwd += Math.random().toString(36).slice(-22);
  }
  
  return pwd.substring(0, n);
}

button.addEventListener("click", function()
{
 input.value = generatePassword(length.value);
});

<div>password:</div>
<div><textarea cols="70" rows="10"></textarea></div>
<div>length:</div>
<div><input type="number" value="200"></div>
<br>
<button>gen</button>

score 0 · Answer 22 · answered Mar 15 '20 at 08:18

Well, you can always use window.crypto object available in the recent version of browser.

Just need one line of code to get a random number:

let n = window.crypto.getRandomValues(new Uint32Array(1))[0];

It also helps to encrypt and decrypt data. More information at MDN Web docs - window.crypto.

score 0 · Answer 23 · answered Oct 15 '20 at 06:58

var Password = {
 
  _pattern : /[a-zA-Z0-9_\-\+\.]/,
  
  
  _getRandomByte : function()
  {
    // http://caniuse.com/#feat=getrandomvalues
    if(window.crypto && window.crypto.getRandomValues) 
    {
      var result = new Uint8Array(1);
      window.crypto.getRandomValues(result);
      return result[0];
    }
    else if(window.msCrypto && window.msCrypto.getRandomValues) 
    {
      var result = new Uint8Array(1);
      window.msCrypto.getRandomValues(result);
      return result[0];
    }
    else
    {
      return Math.floor(Math.random() * 256);
    }
  },
  
  generate : function(length)
  {
    return Array.apply(null, {'length': length})
      .map(function()
      {
        var result;
        while(true) 
        {
          result = String.fromCharCode(this._getRandomByte());
          if(this._pattern.test(result))
          {
            return result;
          }
        }        
      }, this)
      .join('');  
  }    
    
};

<input type='text' id='p'/><br/>
<input type='button' value ='generate' onclick='document.getElementById("p").value = Password.generate(16)'>

score 0 · Answer 24 · answered Sep 17 '21 at 12:36

You could use lodash.

import * as _ from 'lodash';

export const generateCustomPassword = (
  lowerCaseCount: number,
  upperCaseCount: number,
  numbersCount: number,
  specialsCount: number,
) => {
  const chars = 'abcdefghijklmnopqrstuvwxyz';
  const numberChars = '0123456789';
  const specialChars = '!"£$%^&*()-=+_?';
  const pickedChars = _.sampleSize(chars, lowerCaseCount)
    .concat(_.sampleSize(chars.toUpperCase(), upperCaseCount))
    .concat(_.sampleSize(numberChars, numbersCount))
    .concat(_.sampleSize(specialChars, specialsCount));
  return _.shuffle(pickedChars).join('');
};


generateCustomPassword(4, 4, 4, 1)

score 0 · Answer 25 · answered Feb 27 '22 at 14:37

Use this npm package for generating secure password :

npm i generate-secure-password

https://www.npmjs.com/package/generate-secure-password

Sample Code :

const generatePassword = require('generate-secure-password');
let yourPassword = generatePassword({
    // None of the arguments are mandatory
    length: 8,//not less than 4
    numbers: false,//false if number needs to be excluded from password, else true
    symbols: false,//false if symbols needs to be excluded from password, else true
    lowercase: false,//false if lowercase character  needs to be excluded from password, else true
    uppercase: false,//false if uppercase character needs to be excluded from password, else true
    exclude: ['"','%'] //symbols to exclude, Pass it as an array
});
console.log(yourPassword)

Can't find the repo from the NPM page. It's either amateurish or shady, either cases are a red flags, especially for a password generator. — Robin Goupil, Mar 24 '22 at 08:59

score 0 · Answer 26 · answered Mar 17 '22 at 17:10

Everyone here is using Math.random(), which is cryptographically insecure

Use this instead using the crypto API.

const crypto = require("crypto");

function generatePassword() {
    return Array(12)
        .fill("0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz")
        .map(function (x) {
            return x[crypto.randomInt(0, 10_000) % x.length];
        })
        .join("");
}