search

brendanashworth / generate-password

NodeJS library for generating cryptographically-secure passwords.
MIT License
354 stars 67 forks source link

Setting numbers to true in options does not guarantee number used #36

Closed dallen4 closed 4 years ago

dallen4 commented 4 years ago

Details

I'm not sure if the boolean values were intended to always include that character type or only most of the time, but I used this library to aid in a temporary password flow and had a number of instances where providing the following options resulted in a password string without a number.

{
    length: 15,
    lowercase: true,
    uppercase: true,
    symbols: true,
    numbers: true,
    exclude: '+=',
}

I tried this with multiple other options configurations and found that passing a numbers value of true does not in fact guarantee that the generated string will include a numeric value.

mt-sebastien-robert commented 4 years ago

Those are ignored if you don't use the strict option.

brendanashworth commented 4 years ago

@dallen4 it's true that the strict option is needed to ensure those characters are included in the password. While it may be less intuitive, having that as the default results in passwords with slightly more entropy = strength. Perhaps that should be better documented (PRs are welcome!), but I'm going to close this issue otherwise. 🍾