Peter Giacomo Lombardo

All things startups and startup hacking. Creator of Password Pusher. Currently HiveMQ. Former staff of acquired startups Instana & Tracelytics.

2 minute read

How to Generate a High Entropy Password in JavaScript

Ensuring the security of our digital environments begins with the fundamentals: robust, high entropy passwords. As developers, understanding how to generate such passwords using JavaScript is crucial.

Generating a Basic Password in JavaScript

While Math.random() is a common tool for simple random number generation, it’s insufficient for secure password creation due to its predictability.

Example: Basic Password Generation

function generateBasicPassword(length) {
  const chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
  let password = '';
  for (let i = 0; i < length; i++) {
    password += chars.charAt(Math.floor(Math.random() * chars.length));
  }
  return password;
}

console.log(generateBasicPassword(12)); // Example output: "G7e9F0xQ1ZpL"

Summary: This method is straightforward but lacks the necessary security for passwords meant to protect sensitive data.

Enhancing Randomness

To achieve higher security, JavaScript’s crypto.getRandomValues() is the optimal choice, providing cryptographic strength through enhanced randomness.

Enhanced Randomness Example

function generateSecurePassword(length) {
  const charset = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
  let password = '';
  const array = new Uint32Array(length);
  window.crypto.getRandomValues(array);
  for (let i = 0; i < length; i++) {
    password += charset[array[i] % charset.length];
  }
  return password;
}

console.log(generateSecurePassword(12)); // More secure output

Summary: By using a cryptographically secure pseudo-random number generator, we ensure each password is both random and strong.

Selecting Character Sets

Incorporating diverse characters, including Unicode and Cyrillic, not only increases complexity but also enhances security.

Character Set Expansion Example

function generateComplexPassword(length) {
  const charset = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+[]{}|;:,.<>?~`' +
                  'АБВГДЕЁЖЗИЙКЛМНОПРСТУФХЦЧШЩЪЫЬЭЮЯабвгдеёжзийклмнопрстуфхцчшщъыьэюя';
  let password = '';
  const array = new Uint32Array(length);
  window.crypto.getRandomValues(array);
  for (let i = 0; i < length; i++) {
    password += charset[array[i] % charset.length];
  }
  return password;
}

console.log(generateComplexPassword(16)); // Example with extended charset

Summary: Using a broader character set strengthens passwords by making them resistant to more sophisticated attacks.

Estimating Entropy

Understanding entropy is essential for evaluating password strength. Entropy measures unpredictability and can be approximated as follows:

Formula for Entropy

Entropy (in bits) = log₂(N^K)
  • N is the size of the character set (e.g., 26 for lowercase, 52 for upper+lower, 94 for mixed with numbers and symbols).
  • K is the length of the password.

Example Calculation: For a 12-character password using 94 characters:

Entropy ≈ log₂(94¹²) ≈ 78.8 bits (very strong)

Summary: High entropy values indicate a strong password that can withstand brute force attacks, making this calculation an essential tool for security assessment.

Reseeding the Random Number Generator

For environments demanding the highest security, understanding and implementing reseeding can be essential, even if JavaScript typically handles this internally.

Reseeding Example

function reseedAndGeneratePassword(length) {
  const charset = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
  let password = '';
  const array = new Uint32Array(length);
  window.crypto.getRandomValues(array);
  for (let i = 0; i < length; i++) {
    password += charset[array[i] % charset.length];
  }
  return password;
}

console.log(reseedAndGeneratePassword(12)); // Example showing reseeding effect

Summary: Reseeding ensures that even with multiple password generations, each remains unique and secure.

Conclusion

As developers, mastering these techniques for generating high entropy passwords is not just beneficial—it’s essential. Utilizing JavaScript’s advanced features, understanding the calculation of entropy, and applying a wide range of character sets ensure that our passwords remain robust against threats, safeguarding our applications and users’ data.

You May Also Enjoy

How to Scramble a String in Ruby

2 minute read

To randomly scramble a string in Ruby, you can use the chars method to split the string into an array of characters, the shuffle method to randomly shuffle t...

How to NOT Get Screwed as a Software Engineer

less than 1 minute read

This is a great episode from the crew at YC. It would have been nice to hear some real horror stories though but still great situational examples. Worth th...

How to Scramble a String in Python

2 minute read

To randomly scramble a string in Python, you can use the list function to convert the string into a list of characters, the random.shuffle method to shuffle ...

How to Scramble a String in Javascript

5 minute read

To randomly scramble a string in JavaScript, you can use the split method to split the string into an array of characters, the sort method to randomly shuffl...