JPKCom DB

Generator — Manual

Full feature reference for the Generator: all seven tabs, their parameters and character sets, the architecture (server- vs. client-side), and the limits.

Back to the overview: Generator · Open the tool live: www.jpkc.com/tools/generator/

This manual documents the Generator in full: each of the seven tabs, its options and character sets, what runs server-side versus in the browser, and the limits that apply. The interface is in English, so the tab and button names below match what you see in the tool.

Architecture and privacy first

The Generator works in two halves. This is the single most important thing to understand about its results:

  • Server-side (PHP API): the random passwords from the four standard tiers, the salt keys, the WordPress standard and Extreme keys, the WLAN keys, and the APR1-MD5 block. The JavaScript requests the value from the server via AJAX (endpoints like ?pw/24/), which produces it with a cryptographically secure random generator — random_int() for character selection, random_bytes() + bin2hex() for hex. Every response carries no-cache headers.
  • Client-side (Web Crypto / WebAssembly, the value never leaves the browser): the Apple-style password, the BCrypt/Argon2 hashes, and the entire TOTP tab.

That means: if you enter your own password in the Hashes tab, it is not transmitted — hashing happens locally. A TOTP secret stays in the browser too. The server-side random values are fresh one-off values with no caching.

Passwords — password generator

The default tab produces random passwords. Two controls:

  • Complexity (character set):
    • a-z + A-Z + 0-9 + more specials — full set including , . - ; _ # + * ! § $ % & / ( ) = ?.
    • a-z + A-Z + 0-9 + less specials — reduced specials (. - _ + # $ % * , !) for better compatibility.
    • a-z + A-Z + 0-9 — alphanumeric only, no specials.
    • a-f + 0-9 (hex) — hexadecimal (from random_bytes()), handy for tokens and keys.
    • Apple-style (memorable, pronounceable) — see below.
  • Length: 6, 8, 10, 12, 14, 16, 18, 20, 24 (default), 32, 48, 64. Maximum 64 characters.

For the first four tiers the tool fetches the value server-side. Use Generate Password for a new one and Copy to grab it.

Apple-style — pronounceable and memorable

Pick Apple-style and the interface changes: instead of Length it shows Blocks (number of 6-character blocks separated by -), from 3 (default, = 20 chars) up to 9 (= 62 chars). This variant runs entirely client-side (Web Crypto API) and mimics the iCloud Keychain pattern: alternating consonant-vowel (so it's pronounceable), exactly one digit and exactly one uppercase letter in the whole password, with ambiguous characters excluded. A result looks like kibavu-sed3ro-Nopuky.

Salt — salt keys

Generates cryptographic salt keys with an extended character set (all letters/digits plus many specials including backtick, brackets, and space) for maximum entropy.

  • Length: 16, 32, 64 (default), 128, 256, 512, 1024. Maximum 1024.

Generate Salt Key produces a value (server-side). Suitable for general secret/salt values in configurations.

WordPress — security keys for wp-config.php

Generates the eight WordPress security keys as ready-made define() lines: AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, NONCE_KEY, AUTH_SALT, SECURE_AUTH_SALT, LOGGED_IN_SALT, and NONCE_SALT.

  • Key Length: 64 (default), 72, 96, 128.

Generate Keys delivers the finished block to paste into wp-config.php (produced server-side).

Extreme Keys — hardened keys with hash_hmac()

The Extreme Keys button (yellow) first reveals an options panel; a second click generates. This mode builds the keys not statically but as PHP code that derives them at runtime via hash_hmac('sha512', …) from static secrets and dynamic server variables. Options:

  • Key Rotation: No rotation, Hourly, Daily, Weekly (default), Monthly — how often the keys change automatically via date().
  • Dynamic Components (switches): Client IP (REMOTE_ADDR), User-Agent (HTTP_USER_AGENT), Server Address (SERVER_ADDR + SERVER_NAME) — all three on by default.

The generated code includes a helper function (jpkcom_extreme_key()) that combines a static secret with a context. Important: any selected dynamic component that changes (IP switch via VPN/mobile, a browser update changing the User-Agent, the rotation interval elapsing) invalidates active sessions — users have to log in again. The options panel flags this with a warning.

WLAN — WPA/WPA2 keys

Generates WLAN keys compatible with WPA/WPA2 (20 to 63 characters).

  • Complexity: a-z + A-Z + 0-9 + specials (with the safe specials . - _ , +) or a-z + A-Z + 0-9 (alphanumeric only).
  • Length: 20, 30, 40, 50, 63 (default). Allowed range is 20 to 63 characters — the lower bound matches WPA's minimum, the upper bound its maximum.

Generate WLAN Key produces the key (server-side).

APR1-MD5 — password and hash for .htpasswd

Produces, in one step, a random password and its APR1-MD5 hash in the $apr1$ format that Apache expects for Basic Auth in .htpasswd files.

  • Complexity: the same four tiers as the password generator (more specials, less specials, alphanumeric, hex).
  • Length: 8, 12, 16, 20, 24 (default), 32.

The output contains both values, one below the other:

Password:
<the plaintext password>

APR1-MD5:
$apr1$<salt>$<hash>

You hand the plaintext password to the person/system, and you put the $apr1$ hash into the .htpasswd. Generation and hashing run server-side here.

Hashes — BCrypt, Argon2i, and Argon2id

Computes three modern password hashes from a password — entirely client-side via WebAssembly (the hash-wasm library). The password is not sent to the server.

Input: In the Password field, enter your own password or click Generate for a random one (that single random value comes from the server-side API, controlled by the two dropdowns Complexity (generate) and Length (generate)). The Hash button only runs when the field is non-empty.

Parameters:

  • BCrypt Cost: 8 (fast), 10 (default) (default), 12 (slow, ~3–8s) — BCrypt's cost (work) factor.
  • Argon2 Memory: 4 MB (fast), 16 MB, 64 MB (OWASP) (default), 256 MB (slow) — the memory size for both Argon2 variants.

On Hash, the tool generates a separate random 16-byte salt (Web Crypto) for each algorithm and computes in parallel:

  • BCrypt with the chosen cost factor.
  • Argon2i and Argon2id with fixed parameters iterations=3, parallelism=1, hashLength=32 and the chosen memory (default 64 MB). An info line shows the parameters actually used.

All three hashes appear in encoded format (including the algorithm identifier, parameters, and salt) and are directly usable by applications that verify these formats. The WASM computation can take noticeable time depending on your cost/memory choice (hence the "~3–8 s" note at cost 12); a loading spinner shows progress.

OTP — TOTP one-time codes (RFC 6238)

Sets up time-based two-factor authentication (TOTP) — entirely client-side via the Web Crypto API. Compatible with any authenticator app (Google Authenticator, Aegis, and others).

Inputs and fields:

  • Account Name and Issuer (service name) — go into the label of the key URL and the QR code (defaults user@example.com and My Service).
  • Secret (Base32) — the secret key material. Generate creates a new 20-byte secret (160 bits, Base32-encoded); you can also enter an existing one. For the QR and URL the secret must be at least 16 characters.
  • Secret (Hex) — a read-only hex representation of the same secret.
  • Interval — a code's lifetime: 30 seconds (default) or 60 seconds.
  • Key URL (otpauth://) — the ready otpauth://totp/… URL with algorithm=SHA1, digits=6, and the chosen period. Copy and Open buttons.
  • QR code — rendered from the key URL (196 × 196 px, error-correction level M, tuned for the dark theme). Save QR Code downloads it as PNG.

Live display: three codes side by side — Previous, Current OTP (with its own copy button), and Next — plus info cards for Epoch (UTC), Iteration (T), Padded Hex, and Remaining (seconds left), and a progress bar that turns yellow at ≤ 10 s and red at ≤ 5 s. The codes are based on HMAC-SHA1, are six digits long, and refresh every second.

Limits — at a glance

  • Passwords: max 64 characters (Apple-style: 3–9 blocks of 6 chars, i.e. 20–62 characters).
  • Salt keys: 1 to 1024 characters.
  • WLAN keys: 20 to 63 characters (WPA-compliant).
  • WordPress keys: eight keys; length presets 64/72/96/128.
  • TOTP: HMAC-SHA1, 6 digits, period 30 or 60 s; 20-byte secret (Base32), QR from a 16-character secret upward.
  • Hashes: BCrypt cost 8/10/12; Argon2 memory 4/16/64/256 MB, otherwise fixed parameters (iter 3, parallelism 1, length 32).
  • Privacy: your own password in the Hashes tab and your TOTP secret stay in the browser; server-side random values are served with no-cache.

For the audience and the big picture, see the overview. Concrete workflows are in the examples, strategy and pitfalls in the tips & tricks. You can try everything directly in the tool.