Whether you are building a user onboarding flow, generating temporary credentials, or populating a secrets manager, generating passwords programmatically is a common developer task. Doing it securely is another matter entirely.
In this guide we look at how to generate strong, cryptographically secure passwords via API, what makes a password strong, and how to integrate this into your application in minutes.
Why Not Just Use Math.random()?
The most common mistake developers make is reaching for their language built-in random functions. In JavaScript, Math.random() is not cryptographically secure. It uses a deterministic pseudo-random number generator that can be predicted. Cryptographically secure random generation (CSPRNG) uses hardware entropy sources to produce output computationally infeasible to predict. Node.js uses crypto.randomBytes(), Python uses secrets.token_urlsafe(), PHP uses random_bytes().
Understanding Password Entropy
Entropy measures unpredictability: entropy = log2(charset_size ^ length). A 16-character password with 88-character charset gives 103 bits. Practical benchmarks: below 40 bits is crackable instantly; 60-80 bits is fair; 80-100 bits is strong; 100+ bits is very strong and appropriate for secrets and API keys.
Using the ToolCenter Password Generator API
The ToolCenter Password Generator API generates cryptographically secure passwords server-side and returns them with full strength analysis: entropy bits, crack time estimate, and variety score.
Basic Usage
curl -X POST "https://api.toolcenter.dev/v1/password" \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{"length": 24, "symbols": true}'The response includes the password and strength report with score (1-5), label (Very Weak to Very Strong), entropy bits, estimated crack time, and variety score out of 4.
Batch Generation
Generate up to 100 passwords at once with count. Use exclude_similar to remove visually ambiguous characters like i, l, 1, I, O, 0 - useful when users must type the password manually.
Memorable Passwords
For temporary credentials, memorable mode generates word-based passwords like Noble-Valor-87%. These trade some entropy for readability - appropriate for one-time codes where a human needs to copy a password briefly.
Custom Character Sets
Use custom_charset for PIN codes or restricted alphabets. Toggle symbols: false to avoid characters that cause issues in shell scripts or config files.
Node.js Integration Example
const { data } = await axios.post(
'https://api.toolcenter.dev/v1/password',
{ length: 16, memorable: true },
{ headers: { Authorization: `Bearer ${process.env.TC_API_KEY}` } }
);
const tempPassword = data.password;
await db.users.create({ email, password: bcrypt.hashSync(tempPassword, 12) });
await sendWelcomeEmail(email, tempPassword);Password Storage Best Practices
The API generates passwords but does not store or hash them. Always: hash with bcrypt or Argon2id before storing, strip password fields from application logs, transmit only over HTTPS, and force a password change on first login for temporary passwords.
API vs Library
An API requires zero maintenance, works from any language over HTTP, and is auditable via request logs. The tradeoff is roughly 100ms of latency and a network dependency. A library has zero latency and works offline but requires dependency management and security auditing. For most web applications the API tradeoff is worthwhile.
Summary
Generating secure passwords requires a CSPRNG, an appropriate charset, sufficient length, and strength validation. The ToolCenter Password Generator API handles all of this with a simple HTTP call, returning passwords alongside entropy analysis and crack time estimates. Get started free at toolcenter.dev.