# Generator — Manual

> Full feature reference for the Generator: all seven tabs, their parameters and character sets, the architecture (server- vs. client-side), and the limits.

Source: https://www.jpkc.com/db/en/tools/generator/manual/

Back to the overview: [Generator](https://www.jpkc.com/db/en/tools/generator/) · Open the tool live: [www.jpkc.com/tools/generator/](https://www.jpkc.com/tools/generator/)

This manual documents the **Generator** in full: each of the seven tabs, its options and character sets, what runs server-side versus in the browser, and the limits that apply. The interface is in English, so the tab and button names below match what you see in the tool.

## Architecture and privacy first

The Generator works in two halves. This is the single most important thing to understand about its results:

- **Server-side** (PHP API): the random passwords from the four standard tiers, the salt keys, the WordPress standard and Extreme keys, the WLAN keys, and the APR1-MD5 block. The JavaScript requests the value from the server via AJAX (endpoints like `?pw/24/`), which produces it with a cryptographically secure random generator — `random_int()` for character selection, `random_bytes()` + `bin2hex()` for hex. Every response carries `no-cache` headers.
- **Client-side** (Web Crypto / WebAssembly, the value never leaves the browser): the **Apple-style password**, the **BCrypt/Argon2 hashes**, and the entire **TOTP** tab.

That means: if you enter your own password in the **Hashes** tab, it is **not** transmitted — hashing happens locally. A TOTP secret stays in the browser too. The server-side random values are fresh one-off values with no caching.

## Passwords — password generator

The default tab produces random passwords. Two controls:

- **Complexity** (character set):
  - `a-z + A-Z + 0-9 + more specials` — full set including `, . - ; _ # + * ! § $ % & / ( ) = ?`.
  - `a-z + A-Z + 0-9 + less specials` — reduced specials (`. - _ + # $ % * , !`) for better compatibility.
  - `a-z + A-Z + 0-9` — alphanumeric only, no specials.
  - `a-f + 0-9 (hex)` — hexadecimal (from `random_bytes()`), handy for tokens and keys.
  - `Apple-style (memorable, pronounceable)` — see below.
- **Length**: 6, 8, 10, 12, 14, 16, 18, 20, **24** (default), 32, 48, 64. Maximum 64 characters.

For the first four tiers the tool fetches the value server-side. Use **Generate Password** for a new one and **Copy** to grab it.

### Apple-style — pronounceable and memorable

Pick `Apple-style` and the interface changes: instead of **Length** it shows **Blocks** (number of 6-character blocks separated by `-`), from 3 (default, = 20 chars) up to 9 (= 62 chars). This variant runs **entirely client-side** (Web Crypto API) and mimics the iCloud Keychain pattern: alternating consonant-vowel (so it's pronounceable), exactly **one** digit and exactly **one** uppercase letter in the whole password, with ambiguous characters excluded. A result looks like `kibavu-sed3ro-Nopuky`.

## Salt — salt keys

Generates cryptographic salt keys with an extended character set (all letters/digits plus many specials including backtick, brackets, and space) for maximum entropy.

- **Length**: 16, 32, **64** (default), 128, 256, 512, 1024. Maximum 1024.

**Generate Salt Key** produces a value (server-side). Suitable for general secret/salt values in configurations.

## WordPress — security keys for wp-config.php

Generates the **eight** WordPress security keys as ready-made `define()` lines: `AUTH_KEY`, `SECURE_AUTH_KEY`, `LOGGED_IN_KEY`, `NONCE_KEY`, `AUTH_SALT`, `SECURE_AUTH_SALT`, `LOGGED_IN_SALT`, and `NONCE_SALT`.

- **Key Length**: **64** (default), 72, 96, 128.

**Generate Keys** delivers the finished block to paste into `wp-config.php` (produced server-side).

### Extreme Keys — hardened keys with hash_hmac()

The **Extreme Keys** button (yellow) first reveals an options panel; a second click generates. This mode builds the keys not statically but as PHP code that derives them at runtime via `hash_hmac('sha512', …)` from **static secrets** and **dynamic server variables**. Options:

- **Key Rotation**: `No rotation`, `Hourly`, `Daily`, `Weekly` (default), `Monthly` — how often the keys change automatically via `date()`.
- **Dynamic Components** (switches): **Client IP** (`REMOTE_ADDR`), **User-Agent** (`HTTP_USER_AGENT`), **Server Address** (`SERVER_ADDR` + `SERVER_NAME`) — all three on by default.

The generated code includes a helper function (`jpkcom_extreme_key()`) that combines a static secret with a context. **Important:** any selected dynamic component that changes (IP switch via VPN/mobile, a browser update changing the User-Agent, the rotation interval elapsing) invalidates active sessions — users have to log in again. The options panel flags this with a warning.

## WLAN — WPA/WPA2 keys

Generates WLAN keys compatible with WPA/WPA2 (20 to 63 characters).

- **Complexity**: `a-z + A-Z + 0-9 + specials` (with the safe specials `. - _ , +`) or `a-z + A-Z + 0-9` (alphanumeric only).
- **Length**: 20, 30, 40, 50, **63** (default). Allowed range is 20 to 63 characters — the lower bound matches WPA's minimum, the upper bound its maximum.

**Generate WLAN Key** produces the key (server-side).

## APR1-MD5 — password and hash for .htpasswd

Produces, in one step, a random password **and** its APR1-MD5 hash in the `$apr1$` format that Apache expects for Basic Auth in `.htpasswd` files.

- **Complexity**: the same four tiers as the password generator (`more specials`, `less specials`, alphanumeric, hex).
- **Length**: 8, 12, 16, 20, **24** (default), 32.

The output contains both values, one below the other:

```
Password:
<the plaintext password>

APR1-MD5:
$apr1$<salt>$<hash>
```

You hand the plaintext password to the person/system, and you put the `$apr1$` hash into the `.htpasswd`. Generation and hashing run server-side here.

## Hashes — BCrypt, Argon2i, and Argon2id

Computes three modern password hashes from a password — **entirely client-side via WebAssembly** (the `hash-wasm` library). The password is **not** sent to the server.

**Input:** In the **Password** field, enter your own password or click **Generate** for a random one (that single random value comes from the server-side API, controlled by the two dropdowns **Complexity (generate)** and **Length (generate)**). The **Hash** button only runs when the field is non-empty.

**Parameters:**

- **BCrypt Cost**: `8 (fast)`, `10 (default)` (default), `12 (slow, ~3–8s)` — BCrypt's cost (work) factor.
- **Argon2 Memory**: `4 MB (fast)`, `16 MB`, `64 MB (OWASP)` (default), `256 MB (slow)` — the memory size for both Argon2 variants.

On **Hash**, the tool generates a separate random 16-byte salt (Web Crypto) for each algorithm and computes in parallel:

- **BCrypt** with the chosen cost factor.
- **Argon2i** and **Argon2id** with fixed parameters `iterations=3`, `parallelism=1`, `hashLength=32` and the chosen memory (default 64 MB). An info line shows the parameters actually used.

All three hashes appear in **encoded** format (including the algorithm identifier, parameters, and salt) and are directly usable by applications that verify these formats. The WASM computation can take noticeable time depending on your cost/memory choice (hence the "~3–8 s" note at cost 12); a loading spinner shows progress.

## OTP — TOTP one-time codes (RFC 6238)

Sets up time-based two-factor authentication (TOTP) — **entirely client-side** via the Web Crypto API. Compatible with any authenticator app (Google Authenticator, Aegis, and others).

**Inputs and fields:**

- **Account Name** and **Issuer** (service name) — go into the label of the key URL and the QR code (defaults `user@example.com` and `My Service`).
- **Secret (Base32)** — the secret key material. **Generate** creates a new 20-byte secret (160 bits, Base32-encoded); you can also enter an existing one. For the QR and URL the secret must be at least 16 characters.
- **Secret (Hex)** — a read-only hex representation of the same secret.
- **Interval** — a code's lifetime: **30 seconds** (default) or **60 seconds**.
- **Key URL (otpauth://)** — the ready `otpauth://totp/…` URL with `algorithm=SHA1`, `digits=6`, and the chosen `period`. **Copy** and **Open** buttons.
- **QR code** — rendered from the key URL (196 × 196 px, error-correction level M, tuned for the dark theme). **Save QR Code** downloads it as PNG.

**Live display:** three codes side by side — **Previous**, **Current OTP** (with its own copy button), and **Next** — plus info cards for **Epoch (UTC)**, **Iteration (T)**, **Padded Hex**, and **Remaining** (seconds left), and a progress bar that turns yellow at ≤ 10 s and red at ≤ 5 s. The codes are based on HMAC-SHA1, are six digits long, and refresh every second.

## Limits — at a glance

- **Passwords:** max 64 characters (Apple-style: 3–9 blocks of 6 chars, i.e. 20–62 characters).
- **Salt keys:** 1 to 1024 characters.
- **WLAN keys:** 20 to 63 characters (WPA-compliant).
- **WordPress keys:** eight keys; length presets 64/72/96/128.
- **TOTP:** HMAC-SHA1, 6 digits, period 30 or 60 s; 20-byte secret (Base32), QR from a 16-character secret upward.
- **Hashes:** BCrypt cost 8/10/12; Argon2 memory 4/16/64/256 MB, otherwise fixed parameters (iter 3, parallelism 1, length 32).
- **Privacy:** your own password in the Hashes tab and your TOTP secret stay in the browser; server-side random values are served with `no-cache`.

For the audience and the big picture, see the [overview](https://www.jpkc.com/db/en/tools/generator/). Concrete workflows are in the [examples](https://www.jpkc.com/db/en/tools/generator/examples/), strategy and pitfalls in the [tips & tricks](https://www.jpkc.com/db/en/tools/generator/tips/). You can try everything directly in the [tool](https://www.jpkc.com/tools/generator/).