PassForge: I Built a Password Workstation Because One Slider Wasn't Enough

Source: Dev.to

I was setting up a new server last week and needed twelve unique passwords for different services. I opened three tabs — LastPass’s generator, Bitwarden’s generator, and 1Password’s online tool. Every single one gave me a bare‑bones interface: one slider for length, a few checkboxes, and a single output. Copy, switch tabs, paste, repeat. Twelve times.

That’s when I decided to build PassForge — a password workstation that handles everything in one place: random passwords, memorable passphrases, strength testing, and bulk generation. All running in your browser with zero data leaving your machine.

What makes PassForge different

Most password generators solve one narrow problem: they spit out a random string. PassForge treats passwords as a workflow with four distinct modes.

Password Generator

Handles the classic use case — random character strings with fine‑grained control.

• Length: 4 – 128 characters
• Toggle character sets (uppercase, lowercase, digits, symbols)
• Optionally exclude ambiguous characters (O/0, l/1/I)

Every generated password pulls from crypto.getRandomValues(), not Math.random(), so you get real cryptographic randomness.

Passphrase Generator

Instead of random characters, it builds multi‑word phrases from a curated 1,296‑word dictionary (based on the EFF short wordlist).

• Example: a 5‑word passphrase like Bold‑Crane‑Melt‑Surf‑Knot carries about 52 bits of entropy — comparable to a random 10‑character password — but you can actually remember it.
• Choose separator style (dash, dot, underscore, space)
• Capitalize words
• Optionally append a number or symbol for sites with strict requirements

Strength Tester

Paste any existing password and get an honest assessment.

• Calculates entropy and estimates crack time assuming a 10‑billion‑guesses‑per‑second GPU cluster
• Runs pattern analysis for repeated characters, sequential sequences, and character‑diversity
• Visibility toggle lets you inspect the password without exposing it to shoulder surfers by default

Bulk Generator

Solves the original problem — generating many passwords at once.

• Slider: 2 – 50 passwords
• Choose between random passwords and passphrases
• Click any row to copy it, or hit Copy All to get the entire batch on your clipboard (newline‑separated)

How it actually works under the hood

The entire app is a single HTML file — 40 KB total, zero external dependencies. No frameworks, no CDN requests, no analytics pixels. When you open it, you get first paint in under 100 ms because there’s nothing to fetch.

Cryptographic randomness

Every random value in PassForge comes from the Web Crypto API. The cryptoRandInt(max) function creates a Uint32Array, fills it with crypto‑grade random bytes, and takes the modulus. For shuffling (ensuring character‑set distribution) I use the Fisher‑Yates algorithm with crypto‑random indices.

function cryptoRandInt(max) {
  const arr = new Uint32Array(1);
  crypto.getRandomValues(arr);
  return arr[0] % max;
}

The password generator guarantees at least one character from each active set, then fills the remaining length from the combined pool, and finally shuffles the entire result. This prevents the “first 4 chars are always one‑from‑each‑set” pattern that weaker generators produce.

Entropy calculation

• Random passwords: entropy = length × log₂(poolSize)
poolSize is determined by which character classes appear in the password.

• Passphrases: entropy = wordCount × log₂(dictionarySize)
  With our 1,296‑word list, each word adds about 10.34 bits.

The crack‑time estimate assumes a high‑end adversary: 10 billion guesses per second (what a multi‑GPU rig running Hashcat can achieve against fast hashes like MD5). Against bcrypt or Argon2, actual crack times would be orders of magnitude longer. I chose the aggressive estimate because your password should be strong even in the worst‑case scenario.

The strength tester’s pattern analysis

Beyond raw entropy, the tester checks for real weaknesses:

Each check produces a clear pass/fail with a specific tip for improvement, not just a vague “make it stronger” message.

Design decisions I’m opinionated about

• Dark mode is automatic. PassForge reads prefers-color-scheme and switches themes without any toggle button. If your OS says dark, you get dark. No cookie banners, no preference dialogs.
• Every output is one‑click copy. Click the password box, a bulk‑list row, or the passphrase — they all copy to the clipboard with a 2‑second toast confirmation. No separate copy button hunting.
• Touch targets are 44 px minimum. Every interactive element — tabs, checkboxes, sliders, buttons — meets Apple’s Human Interface Guidelines for minimum touch‑target size. This matters when you’re generating a password on your phone in a coffee shop.
• Keyboard navigation works throughout. Tabs use arrow keys. Checkboxes respond to Space and Enter. Ctrl + G generates a new password regardless of which tab you’re on. Focus states are visible.
• PWA‑installable. PassForge includes a service worker and web manifest, so you can “Add to Home Screen” on mobile or install it as a desktop app. It works offline after the first load — your password generator should never depend on an internet connection.

When you’d actually use each mode

• Password mode – database credentials, API keys, or any service that requires a traditional random string.
• Passphrase mode – memorized passwords for personal accounts, where you need something you can type from memory but still strong.
• Strength tester – auditing existing passwords or evaluating a newly‑created one before committing it to a service.
• Bulk generator – provisioning multiple accounts, creating service‑specific passwords, or generating a set of one‑time passwords for a team.

Give PassForge a try and see how much smoother password management can be when everything you need lives in a single, offline‑first web page.

Modes

Random mode – generate passwords for API keys, service accounts, anything a machine reads.

• Full‑length, all character sets, exclude ambiguous characters.

Passphrase mode – your primary email, password‑manager master password, full‑disk encryption.

• Anything you type by hand and need to remember.

Strength tester – audit existing passwords.

• Paste your current bank password and find out if it’s actually as strong as you assumed.

Bulk mode – provisioning new infrastructure, creating test accounts, rotating credentials across services.

Privacy is structural, not promised

PassForge doesn’t have analytics. It doesn’t make network requests after loading. There’s no server‑side component to hack, no database to breach, no logs to subpoena.

Open your browser’s Network tab while using it – you’ll see exactly zero requests. Your passwords exist only in your browser’s memory and nowhere else.

This isn’t a privacy policy written to sound good. It’s a consequence of the architecture: a single HTML file, no backend, no external scripts.

Try it

PassForge is free and ready to use right now.

If you work with passwords daily — sysadmin, developer, IT support — bookmark it. It’s built to be the one password tool you keep open.

Related tools

• HashForge – generate and verify MD5/SHA/HMAC hashes, all in your browser.
• DiffLab – compare text diffs without uploading anything.
• RegexLab – test regex patterns with a multi‑case runner.