Generate Passwords, Passphrases, PINs, and UUIDs —
Inside Your Encrypted Vault

You use a password manager, but you still open a browser tab to generate passwords. The generated value lands on your clipboard, you paste it into the manager, you paste it into the signup form, and both copies linger in memory until something clears them. Claspt eliminates that entire round trip. The generator lives inside the vault. The password is born encrypted and never touches an external tool.

The Problem with Separate Generators

Most password managers include a basic generator — random characters at a configurable length. That covers one use case. But credentials come in many shapes:

• Random passwords for website logins and API keys
• Passphrases for master passwords, full-disk encryption, and Bitcoin wallets
• Memorable tokens for Wi-Fi passwords you share verbally
• PINs for banking apps, SIM cards, and hardware locks
• UUIDs for database records, API identifiers, and correlation IDs
• Bulk batches for provisioning teams, test environments, or one-time tokens

When your manager only handles random character strings, you reach for a separate tool for everything else. Each tool is another clipboard exposure, another tab, another place where a generated secret exists unencrypted in memory.

Six Generation Modes

Claspt's generator covers all six use cases from a single interface. Every mode is available in the desktop app, the CLI, the HTTP API, and the MCP Server.

1. Password

Classic random-character generation. You configure length (8–128 characters) and character classes: uppercase, lowercase, digits, symbols. You can also exclude ambiguous characters like 0, O, l, and 1 for passwords that might be read aloud or printed.

claspt generate password --length 24 --symbols --no-ambiguous
# → k9$Xm!vR@pN3wFz&Ty7jQ2d

2. Passphrase (EFF Diceware / BIP-39)

Passphrases are the gold standard for anything you need to type from memory. Claspt supports two wordlists: the EFF Diceware list (7,776 words, optimized for memorability and unambiguous spelling) and the BIP-39 list (2,048 words, used for cryptocurrency seed phrases). You choose the word count, separator, and optional capitalization.

claspt generate passphrase --words 5 --separator "-" --wordlist eff
# → correct-horse-battery-staple-anvil

claspt generate passphrase --words 12 --wordlist bip39
# → abandon ability able about above absent absorb abstract absurd abuse access accident

A 5-word EFF Diceware passphrase provides approximately 64 bits of entropy — equivalent to a 10-character random password with mixed case, digits, and symbols, but far easier to memorize.

3. Memorable

Memorable mode generates pronounceable, structured tokens that are easy to read aloud or dictate over the phone. Useful for Wi-Fi passwords, shared team credentials, or any context where someone needs to type the value by hand.

claspt generate memorable --length 16
# → Tango4-Bravo7-Kx

4. PIN

Numeric-only generation for banking apps, SIM cards, door codes, and hardware tokens. Configurable length from 4 to 12 digits. Consecutive and repeated digit sequences are rejected by default.

claspt generate pin --length 6
# → 839174

5. UUID

Generates version-4 UUIDs using the same CSPRNG as the password generator. Useful for database primary keys, API request IDs, correlation tokens, and any context requiring a globally unique identifier.

claspt generate uuid
# → 7f3a91c2-4e8b-4d1f-a093-6b7c2e5f8d4a

6. Bulk

Generate multiple credentials at once. Bulk mode wraps any of the other five modes and produces a batch of results. You can export to CSV, JSON, or directly insert them into a secret block as a key-value list.

claspt generate password --length 20 --count 10 --format csv
# Outputs 10 unique 20-character passwords as CSV

claspt generate passphrase --words 4 --count 50 --format json
# Outputs 50 passphrases as a JSON array

Bulk generation is particularly useful for DevOps teams provisioning test environments, onboarding new users with temporary credentials, or generating one-time tokens for event registrations.

Built-In Strength Checker

Every generated value — and every password you manually type into a secret block — is evaluated by the built-in strength checker. It does not use a simple rule-based score like "must contain uppercase and symbol." Instead, it calculates:

• Shannon entropy — the theoretical information content in bits, based on the character pool and length
• Pattern detection — identifies dictionary words, keyboard walks (qwerty, asdf), date patterns, and repeated sequences that reduce effective entropy
• Crack-time projection — estimates how long an offline brute-force attack would take at 10 billion guesses per second (a reasonable GPU cluster throughput for fast hashes like SHA-256)

The result is a four-tier rating: Weak, Fair, Strong, or Excellent, with the estimated crack time displayed in human-readable form — "3 hours," "400 years," or "heat death of the universe."

The strength checker runs on every secret field, not just generated ones. If you paste Password123! into a secret block, Claspt will flag it immediately with its actual entropy and crack time, not a meaningless "strong" label based on character class rules.

Zero-Exposure Workflow

The generator is not just convenient — it is a security boundary. Every step in the generation-to-storage workflow is designed to minimize the time a plaintext credential exists in memory:

• Inline insert — generate a password directly into a secret block without it ever touching the system clipboard. The value goes from the CSPRNG to the encrypted field in a single operation.
• Clipboard auto-clear — if you do copy a generated value, Claspt clears the clipboard after a configurable timeout (default: 30 seconds). The timeout starts the moment you copy.
• Memory zeroing — the plaintext password buffer is overwritten with zeros the moment it is encrypted into the vault or the generation dialog is dismissed. This uses Rust's zeroize crate, which guarantees the compiler will not optimize away the zeroing operation.

Compare this to a browser-based generator: you generate a password on a website, it exists in the page's JavaScript heap indefinitely, you copy it to the clipboard (where it persists until something else is copied), you paste it into your password manager (another clipboard read), and then you paste it into the signup form. The same plaintext value exists in at least three memory locations with no deterministic cleanup.

Cryptographic Foundation

The randomness source matters. A password generator is only as strong as its random number generator. Claspt uses the ring crate's SystemRandom, which reads directly from the operating system's kernel CSPRNG:

• macOS / iOS → SecRandomCopyBytes (backed by the Fortuna PRNG seeded from hardware entropy)
• Windows → BCryptGenRandom (backed by the CNG PRNG)
• Linux → getrandom(2) (backed by ChaCha20-based PRNG seeded from hardware entropy)

These are the same entropy sources used by your operating system for TLS key generation, disk encryption, and secure boot. There is no userspace PRNG, no Math.random(), no seed file.

Rejection Sampling

When generating a password from a character set that is not a power of 2 in size, naive modulo arithmetic introduces bias. For example, if you generate a random byte (0–255) and take byte % 62 to select from a-zA-Z0-9, values 0–7 appear slightly more often than values 8–61. Over millions of generated characters, this bias is detectable.

Claspt uses rejection sampling: if the random byte falls outside the largest multiple of the character set size that fits within the byte range, it is discarded and a new byte is drawn. This eliminates modulo bias entirely, producing a perfectly uniform distribution across the character set.

Fisher-Yates Shuffle

For passphrase generation, words are selected from the wordlist using a Fisher-Yates shuffle seeded by SystemRandom. This ensures that every permutation of the wordlist is equally likely, and the selection is not biased toward words at the beginning or end of the list.

Available Everywhere You Work

The generator is not locked to the desktop GUI. It is accessible from four interfaces, all producing identical output from the same cryptographic core:

• Desktop app — click the generator icon in any secret field, or open it from the toolbar. Inline insert places the value directly into the field.
• CLI (claspt generate) — scriptable generation for automation, CI/CD pipelines, and terminal workflows. Supports all six modes with full flag control.
• HTTP API — POST /api/generate with a JSON body specifying mode and parameters. Returns the generated value along with its entropy score and crack-time estimate.
• MCP Server — expose generation to AI coding assistants like Claude, Cursor, or Windsurf. Ask your AI to "generate a 5-word passphrase and store it in the Production DB page" and it happens in one step.

POST /api/generate
Content-Type: application/json

"separator": "-"

// Response
"strength": "Excellent"

Entirely Free

The generator, strength checker, bulk export, CLI access, API access, and MCP Server are all included in every tier — including Free. There is no paywall on credential generation. The Pro tier adds cross-device sync and sharing, but the generator works identically on Free.

We made this decision deliberately. A password generator is a security tool. Gating security behind a subscription creates a perverse incentive: users on the free tier reuse weak passwords because the generator costs extra. That is the opposite of what a password manager should encourage.

Why It Matters

The generator is not a feature checkbox. It is a workflow improvement with a measurable security impact:

• No clipboard exposure — inline insert means the plaintext never touches the system clipboard, eliminating an entire class of clipboard-sniffing attacks.
• No context switching — you generate, evaluate, and store in one place. No browser tabs, no external tools, no copy-paste chains.
• No weak defaults — the strength checker runs automatically on every credential. You cannot save a weak password without seeing its actual crack time.
• No single-mode limitation — six modes mean you use the right format for the right context instead of forcing a random character string where a passphrase or PIN is more appropriate.
• No vendor lock-in — bulk export to CSV or JSON means your generated credentials are portable. You are never trapped.