I'm using Angular CLI to build an Angular 4 app and I can't get your package to work.

Angular CLI excludes the crypto library by default: angular/angular-cli#1548 (comment)
As your package depends on crypto (https://github.com/brendanashworth/generate-password/blob/master/src/generate.js#L1), it won't work.
If I'm not mistaken, crypto is only required for this piece of code: https://github.com/brendanashworth/generate-password/blob/master/src/generate.js#L8

Wouldn't it make sense to replace that line with Math.random() (or similar), so it's compatible with Angular?

when i try i go t thi, how to create reliable password?

`
,
,!)^y#0

`

I need to generate a password on the front-end side by the client request. How can I use this library?

Please update readme how can using angular and ionic project(examples)

With the options:
{ length: 6, numbers: true, strict: false, symbols: true, exclude: '' } the generated passwords never contain letters.
When the options are explicitly given: {
length: 6,
numbers: true,
strict: false,
uppercase: true,
symbols: true,
exclude: ''
} the module works as expected

I try to use this package with webpack-encore but always module build failed to compile with errors.

Module build failed: Module not found:
"./node_modules/generate-password/src/generate.js" contains a reference to the file "crypto".
This file can not be found, please check it for typos or update it if the file got moved.

Used this as option:
let passwordOptions = {
length: 15,
numbers: true,
symbols: true
};
and called "generator.generate(passwordOptions);"

It generated this password which does not have a number in it.

Generated Password: "q?xfnIaTdWlM?fD"

Can you update the NPM package to include the required dependencies, such as crypto?

I'm not sure how this happened, but I installed the latest version of this package off Yarn and it says it's v1.6.0, but the typescript definition has the symbols option as just a boolean. It looks like this was fixed in Git a while ago.

If I click "browse files" in the Yarn page sidebar, I can see the file here, without the 'string' type.

Currently importing named exports from this module from an ESM module will error out:

❯ cat index.mjs
import { generate } from "generate-password";
❯ node index.mjs
file:///{...}/index.mjs:1
import { generate } from "generate-password";
         ^^^^^^^^
SyntaxError: Named export 'generate' not found. The requested module 'generate-password' is a CommonJS module, which may not support all module.exports as named exports.
CommonJS modules can always be imported via the default export, for example using:

import pkg from 'generate-password';
const { generate } = pkg;

    at ModuleJob._instantiate (internal/modules/esm/module_job.js:104:21)
    at async ModuleJob.run (internal/modules/esm/module_job.js:149:5)
    at async Loader.import (internal/modules/esm/loader.js:177:24)
    at async Object.loadESM (internal/process/esm_loader.js:68:5)

It would be nice to have support for this feature. This would require moving to a pure ESM module, or provide a CJS and an ESM build using rollup.

Edit: An additional alternative seems to be to not rename exports as self inside the module.
https://simonplend.com/node-js-now-supports-named-imports-from-commonjs-modules-but-what-does-that-mean/

generate-password v1.5.1 currently has a bug which results in a max callstack size exceeded

The bug occurs when strictly requiring and then excluding those characters.

i.e.

import generator from 'generate-password';

generator.generate({
  strict: true,
  numbers: true,
  exclude: "1234567890",
});

Could we instead throw an error if the configuration is not possible?

I'm curious as to the intention of the options parameter. At first glance, my interpretation was that if I passed any of the options in as true, then the generate() method would force them as a requirement. However, the implementation doesn't appear to follow that logic.

What that said.. What do you think of forcing any options that are set to true to be a requirement of the generated password? Or perhaps, introducing other options that would serve this need?

Hi, I am using this npm for my node project.
And I want to use it in my Java program also.
So how to use it in Java code ??
Please tell me the steps and an example program which will elaborate its usage in java.

According to White Source, underscore library version 1.7.0 has CVE-2021-23358 security vulnerability.
Is it possible to upgrade to version underscore - 1.12.1,1.13.0-2 and release new generate-password version?

Similar to the #46, when using the param numbers:true, the generation no always result on a password with number.

You can see the behavior on the code test bellow
https://runkit.com/carlosfanti/generate-password-bug-numbers-true

This is an intermittent bug. I suspect it has to do with using numbers: true in conjunction with excludeSimilarCharacters: true. It seems to fail about 30% of the times (using node v10) and 10% of the items (uising node v12) -- at least during my limited testing.

Here is some sample code to recreate the issue: https://runkit.com/embed/byemcgw0je47

And here is a screenshot showing a failure case:

I just set the length of my password to be 6, include both cases, a special character and a number. But got a only a password without a special symbol.

I'm sure this happens for password length less than six, but it shouldn't happen for 6 or more password lenght.

I recently extended this package for use in a project. I've added character pool shuffling as an added layer of security ( or obscurity?) to make it even more nondeterministic in the password output.

Not sure what you think of it but if you're open for it, I can open a PR.

While the symbols in the package are well accepted for most cases, it'll be convenient where password requires just a specific set of symbols, to have a symbols property list to consider in the password.

As some people might want to run this in a browser environment, I think it would be better if we mentioned that this doesn't have browser support and instead use the forked project 'generate-password-browser'? would be helpful for beginners!

I'm pretty sure I have this set up correctly. But I do not get consistent/expected results. Not all passwords have both upper and lower case letters. Am I doing something wrong?

`
const Password = require('generate-password');

for (let i = 0; i < 20; i++) {
const password = Password.generate({ length: 10, numbers: true, symbols: true, lowercase: true, uppercase: true });

console.log(password);
}
`

Is it guaranteed that there will be at least one lowercase character when multiple options, including strict, are set to true. For example, if my options object looks like

const options = {
	length: 4,
	numbers: true,
	symbols: true,
	uppercase: true,
	strict: true,
}

Is it possible that generator.generate(options) will return a string without any lowercase characters. That is, it will only contain numbers, symbols and uppercase characters.

It would be helpful to add the answer to this question to the README. Thanks!

The following will sometimes generate passwords of length 7 containing no special characters:

passwordGenerator.generate({
      length: 8,
      strict: true,
      numbers: true,
      lowercase: true,
      uppercase: true,
      symbols: true,
      // These exclusions are either reserved(before space)
      // or unsafe(including and after space) characters for URLs
      exclude: '&$+,/:;=?@# <>[]{}|^%',
    })

We are passing this password to a callback that generates emails by directly injecting the password into a URL. Therefore we cannot pass symbols usually reserved for URLs. This code generated the password ADd9xFM which is 7 characters long.

Out of 1k generated, 102 had undefined inside them and a bad length. Not sure what the cause of this is yet, but we know about it.

Hi there,
I've noticed that sometimes when I generate passwords, even though I specify numbers: true, it does not add a number into the generated password.

For example when using:

    var password = generator.generate({
      length: 10,
      numbers: true
    });
    console.log(password);

I get this outcome (notice for example the second password generated has no number):

I read in the README.md support to be able to define a string of symbols used to generate a password. The generated typescript types however only show support for a boolean.

I am using a salt generated by the Python 'bcrypt' library. When trying to has a string with this salt, I receive an error message:

error - Error: Invalid salt version: /g

Btw the salt I am using has a /g in it

Details

I'm not sure if the boolean values were intended to always include that character type or only most of the time, but I used this library to aid in a temporary password flow and had a number of instances where providing the following options resulted in a password string without a number.

{
    length: 15,
    lowercase: true,
    uppercase: true,
    symbols: true,
    numbers: true,
    exclude: '+=',
}

I tried this with multiple other options configurations and found that passing a numbers value of true does not in fact guarantee that the generated string will include a numeric value.

Hi @brendanashworth

I hope this isn't a silly question. I am wondering if I am missing something in the readme for this module? It looks like the example code is synchronous:

var generator = require('generate-password');
 
var password = generator.generate({
    length: 10,
    numbers: true
});
 
// 'uEyMTw32v9' 
console.log(password);

However, console.log in this example returns undefined rather than the password. If I modify the code by passing a callback function as follows:

var generator = require('generate-password');
 
var password = generator.generate({
    length: 10,
    numbers: true
}, function (err, password) {
    console.log(password) //logs password to console
});

The password is logged to the console as expected rather than undefined.

I dug a little deeper and it looks like the self.generate method actually does return a callback:

	var password = generate(options, pool); //assign callback to var password

	return password; // return callback

That said, I do not see any open issues for your library pertaining to the issue that I have encountered. I am hoping to verify with you if I am missing something else, or if I am on the right track with this being an async module?

Thank you,
Joe

Very cool project, thanks :)

It would be great if it could be possible to request a minimum amount of character of each pool, or per pool. For now the documentation of the strict option mentions password must include at least one character from each pool. but it is not rare to encounter system that requires at least 3 uppercase, 2 symbols, and whatnot.

I have no preference how this could be done.

Being able to specify the minimum amount per pool would give more flexibility than having a single number for all the pools, but it's up to you.

Thank you.

BREAKING CHANGE: webpack < 5 used to include polyfills for node.js core modules by default.
This is no longer the case. Verify if you need this module and configure a polyfill for it

If you want to include a polyfill, you need to:
- add a fallback 'resolve.fallback: { "crypto": require.resolve("crypto-browserify") }'
- install 'crypto-browserify'
If you don't want to include a polyfill, you can use an empty module like this:
resolve.fallback: { "crypto": false }

Please, add to package.json this option

"browser": {
"crypto": false
},

Right now it uses Math.random, which is inherently insecure for password generation.

Change this to use the crypto module.

Hi,

I have set numbers: true, but most of the time the generated password does not include a number. It is buggy. Would be great if you fix it.

Thanks,
Ashwin

Omit 'O' and 0 (zero) from password possibilities.