Deterministic Password Generation
Made Simple

Generate secure, reproducible password matrices from your seed phrases. Air-gapped security meets practical password management.

▶ Generate Cards 👁 Try Demo

	0	1	2	3	4
A	J~u3	;$\|4	/j\|!	*6)G	8LtD
B	596X	KdmX	)HS1	V~FI	n_QK
C	{>)q	h}/e	.VlH	~4~x	qHyG

🔒 Client-Side Only

Why Seed Card?

🛡️

Deterministic Security

Same seed always produces identical password matrices. No databases, no cloud storage, just pure cryptographic determinism.

📡

Air-Gapped Ready

Generate cards completely offline. Download the page and run locally for maximum security isolation.

⚏

Matrix-Based Passwords

10×10 grids with coordinate-based password selection. Memorable patterns, unlimited combinations.

🔑

Multiple Seed Sources

Support for BIP-39 mnemonics, SLIP-39 shares, and simple SHA-512 seeds for maximum flexibility.

🔍

Card Lookup System

Generate 100 unique cards from one seed. Use card IDs for organized password management.

💻

Open Source

Fully auditable cryptographic implementation. View source, verify algorithms, contribute improvements.

How It Works

Provide Your Seed

Enter a BIP-39 mnemonic, SLIP-39 shares, or simple seed phrase. All processing happens in your browser.

Generate Matrix Cards

Cryptographic expansion creates 10×10 grids of unique tokens using PBKDF2 and HMAC-SHA512.

Select Password Patterns

Choose coordinates like A0-B1-C2 to create passwords. Use different patterns for different accounts.

Lookup & Regenerate

Use card IDs to find specific matrices. Same seed + card ID = identical passwords every time.

Security Model

Cryptographic Foundation

PBKDF2-HMAC-SHA512: Industry standard key derivation with 2048+ iterations
Deterministic Expansion: HMAC-based stream generation for consistent output
Unbiased Mapping: Rejection sampling prevents modulo bias in token generation
Base90 Alphabet: Maximum entropy while avoiding problematic characters

Threat Model

Online Rate Limiting: Designed for services with lockout protection
~41-45 bits entropy: Sufficient for rate-limited online attacks
2FA Recommended: Always use multi-factor authentication for critical accounts
Offline Resistance: Not suitable for scenarios allowing unlimited attempts

⚠️

Security Notice

This tool generates passwords for online services with lockout protection. Modern GPUs can test 7+ billion combinations per second in offline attacks. Always use 2FA for sensitive accounts.

Interactive Demo

Try With Test Data

Sample Seed Phrase:

🔑 Seed Material

Choose your seed source for deterministic generation

Generated Seed Hash (SHA-512):

Characters: 0

Bytes: 0

Bits: 0

Format: Invalid

Seed Entropy: 0 bits

Simple Phrase

Direct SHA-512 hash of your text

BIP-39 Mnemonic

12-24 word cryptocurrency seed phrase

SLIP-39 Shares

Shamir's Secret Sharing reconstruction

Seed Phrase:

ℹ️ Use any memorable phrase. Same phrase always generates identical cards.

BIP-39 Mnemonic (12-24 words):

Passphrase (optional):

PBKDF2 Iterations:

ℹ️ Standard cryptocurrency mnemonic. Enter your own BIP-39 phrase.

SLIP-39 Shares (minimum 2 required):

ℹ️ Use test shares from CLI: seeder generate shares --simple "test"

⚙️ Settings

Configure KDF, card identifier, and token format

Key Derivation Function (KDF):

Argon2id — Memory-hard KDF, resistant to GPU attacks

Argon2 Iterations (t):

⏱️ More iterations = stronger protection but slower derivation.

Argon2 Memory (m):

🧠 Higher memory = stronger protection. Browser limits are auto-detected on load.

Argon2 Lanes (p):

🔀 Parallelism lanes affect hash output. Batch generation uses adaptive multi-threading via Web Workers.

Base System:

Base90

Full charset with special chars (~26 bits/token)

Base62

Alphanumeric only (~24 bits/token)

Base10

PIN codes, digits only (~13 bits/token)

ℹ️ Base10 for PIN codes, Base62 for alphanumeric, Base90 for maximum entropy

Card Date:

Full date for card tracking

Leave empty to use today's date

Nonce:

Unique value for each card derivation (48-bit entropy)

Leave empty to auto-generate, or enter fixed value for reproducibility

Card ID:

Unique identifier for this card (combines domain and pattern)

Label Component Entropy:

Date: 0 bits

Card ID: 0 bits

Total Label: 0 bits

Generated Label:

v1:TOKEN:SIMPLE-ARGON2ID:t3-m64-p8-N.xxxxxxxx-BASE90:sample.A0:2025-11-30|X

Complete v1 label used for deterministic derivation

Format: v1:TOKEN:ALGO:PARAMS:IDENT:DATE|CHECK

🃏 Card

Click an index to view the card details

🔐 Password Examples

🔒 Security Analysis

Seed: -

Label (ID + Date + Nonce + Index): -

Nonce (auto-generated): 48.0 bits

Per-Token Selection: -

Memorized + Punctuation: -

🛡️ KDF Attack Resistance (Seed Brute-Force)

Argon2id makes guessing your seed expensive. With 10,000 GPUs trying to regenerate your card:

Argon2id (t3m64p8) — 100,000 hashes/sec

Time to crack seed: calculating...

Note: KDF resistance only applies when attacker is guessing your seed. If the physical card is stolen, they don't need to crack the KDF.

🛡️ Full Security: All components secret -

⚠️ Seed Compromised: Only user choices remain secret -

🔓 Label Compromised: Card ID/Date known, Seed/Choices secret -

🃏 Card Compromised: Token grid visible (~34 bits remaining) -

Label Hash (Inventory): -

🔐 Password Examples

2 Tokens: ~78.5 bits

A0 + B1 + forest!

tJt3 + r7q[ + forest!

tJt3r7q[forest! (15 characters)

3 Tokens: ~104.4 bits

A0 + B1 + C2 + forest!

tJt3 + r7q[ + tH9v + forest!

tJt3r7q[tH9vforest! (19 characters)

With Numbers: ~88.4 bits

A0 + B1 + forest + 123!

tJt3 + r7q[ + forest + 123!

tJt3r7q[forest123! (18 characters)

Complex Mixed: ~124.2 bits

MyBank + A0 + B1 + C2 + 2024 + varied separators

MyBank + tJt3 + r7q[ + tH9v + 2024 + #-&$ separators

MyBank#tJt3-r7q[&tH9v$2024 (26 characters)

📋 Security Level Legend

INSUFFICIENT (<40 bits)

BASIC (40-64 bits)

GOOD (65-89 bits)

STRONG (90-127 bits)

EXCELLENT (≥128 bits)

Reference: RFC 4086 - Randomness Requirements for Security. Classifications based on computational complexity and current cryptographic standards for entropy estimation.

🛡️ Interactive Threat Analysis

🔒 Normal Operation EXCELLENT

Entropy: 80-120+ bits

Attack Cost: Computationally infeasible

Compromise Risk: Low (air-gapped systems, proper OPSEC)

Required Knowledge: None (all components secret)

📱 Memorized Words Compromised GOOD

Entropy: 45-80+ bits (seed + label + grid selection)

Attack Cost: 2⁴⁵ - 2⁸⁰ operations

Compromise Risk: Higher for online systems (keyloggers, social engineering)

Attacker Still Needs: Seed phrase, label patterns, coordinate habits

⚠️ Seed Compromised GOOD

Entropy: 40-60+ bits (label + grid + memorized)

Attack Cost: 2⁴⁰ - 2⁶⁰ operations (~1 trillion to 1 quintillion)

Compromise Risk: Medium (stolen backup, poor storage)

Attacker Still Needs: Label patterns, coordinate habits, memorized components

🚨 Multiple Compromise BASIC

Entropy: 20-30+ bits (memorized only)

Attack Cost: 2²⁰ - 2³⁰ operations (~1 million to 1 billion)

Compromise Risk: High for predictable users with poor OPSEC

Compromised: Seed + label patterns + coordinate habits

🧠 Memorized Component Vulnerability Analysis

⌨️ Keylogger Attack HIGH RISK

Environment: Compromised computers, public terminals

Exposure: Complete memorized component capture

Mitigation: Use only trusted devices, virtual keyboards for sensitive entry

👁️ Shoulder Surfing MEDIUM RISK

Environment: Public spaces, open offices, cameras

Exposure: Partial to complete visual observation

Mitigation: Screen privacy, private entry locations

🎭 Social Engineering MEDIUM RISK

Environment: Targeted attacks, phishing, impersonation

Exposure: Voluntary disclosure of memorized patterns

Mitigation: Security awareness, verification protocols

🔍 Pattern Analysis LOW RISK

Environment: Multiple password observations over time

Exposure: Predictable memorized word patterns

Mitigation: Vary memorized components, irregular patterns

📊 Impact Assessment

If memorized words compromised:

Remaining entropy: 45-80+ bits

Still requires seed + label + coordinate patterns

Attack complexity increases:

2⁴⁵ - 2⁸⁰ operations required

Computationally expensive even with memorized component

Defense in depth:

Multiple independent components

No single point of failure in the system

🎯 Security Recommendations

Vary coordinate patterns: Don't always use the same grid positions
Strong memorized components: Use diverse words and punctuation
Label diversity: Use varied card IDs and dates for different purposes
Secure seed storage: Keep seed phrase in secure, offline storage
Operational security: Even seed compromise doesn't require immediate password changes if other components are strong

📋 Usage Strategies & Operational Guidelines

🗂️ Written Log System

Maintain a secure written log to correlate systems with token patterns and password rules:

System-to-Pattern Mapping: Record which coordinate patterns (e.g., "A0 B1 C2") are used for each system
Password Rules Documentation: Note specific requirements (length, special chars, etc.) for each service
Memorized Component Variations: Track which memorized words, PINs, and punctuation patterns are used per system
Label Format Standards: Document your card ID and date format conventions

📅 Calendar Rotation System

Implement systematic password rotation using calendar-based label updates:

Quarterly Rotation: Update card dates every 3 months (2024-01, 2024-04, 2024-07, 2024-10)
Annual Card IDs: Use year-based card identifiers (SYS.24.01, SYS.25.01) for major rotations
Emergency Rotation: Pre-planned next card ID/date combinations for security incidents
Staggered Updates: Rotate different systems on different schedules based on risk level

🎯 Coordinate Pattern Strategies

Systematic approaches to coordinate selection for password generation:

Geometric Patterns: Use diagonal lines, squares, or L-shapes for memorability
Personal Significance: Choose coordinates based on dates, initials, or meaningful numbers
Risk-Based Selection: More coordinates for high-value accounts, fewer for low-risk systems
Pattern Diversity: Avoid reusing the same coordinate combinations across critical systems

📝 Documentation Security

Best practices for maintaining secure operational records:

Physical Storage: Keep written logs separate from cards and seed material
Coded References: Use abbreviated system names or codes rather than full service names
Partial Information: Log doesn't need to contain complete password reconstruction data
Regular Review: Update logs when passwords are rotated or systems are decommissioned

🛡️ Interactive Threat Analysis

Select which components have been compromised to see the resulting security level:

Security Model: Token Values = entropy from the actual characters (🃏 card shows these)
Token Sequence = entropy from which grid positions you selected (📋 written inventory needed)
Both are required to reconstruct your password!

Password Configuration:

Number of tokens used in password: Token values: 26.0 bits (4 tokens × 6.64 bits each)

Note: This calculates entropy from token values only. Token sequence (which positions you select) adds separate entropy below.

Select Compromised Components:

🌱 Seed Source (BIP-39/Simple/SLIP-39) 128.0 bits 🏷️ Card Label (domain/type) 32.0 bits

🧂 Enhanced with salted SHA-512 expansion from simple domain names like "Banking"

🔢 Card ID (specific instance) 16.0 bits

🎲 Enhanced with salt/expansion from simple IDs like "01", "Main", "Work"

🃏 Physical Card 63.0 bits 🎯 Selected Tokens 103.9 bits

💡 Token entropy is dynamic: full value when generation parameters (seed+label+cardid) are secret, coordinate selection only when grid can be generated by attacker.

📋 Token Sequence 4.2 bits 🧠 Memorized Components (word + PIN + caps) 24.5 bits 🎯 Usage Patterns (punctuation + order) 7.6 bits

Remaining Security:

222.4 bits : EXCELLENT

Threat Assessment:

Attack Complexity: Computationally infeasible (2²²²⁺ operations)

Recommended Action: No action required - excellent security

Time to Break: Universe lifetime + beyond current technology

Deterministic Password GenerationMade Simple

Why Seed Card?

Deterministic Security

Air-Gapped Ready

Matrix-Based Passwords

Multiple Seed Sources

Card Lookup System

Open Source

How It Works

Provide Your Seed

Generate Matrix Cards

Select Password Patterns

Lookup & Regenerate

Security Model

Cryptographic Foundation

Threat Model

Security Notice

Interactive Demo

Try With Test Data

🔑 Seed Material

⚙️ Settings

🃏 Card

Token Matrix Entropy

🔐 Password Examples

🔒 Security Analysis

🛡️ KDF Attack Resistance (Seed Brute-Force)

🔐 Password Examples

📋 Security Level Legend

🛡️ Interactive Threat Analysis

🧠 Memorized Component Vulnerability Analysis

📊 Impact Assessment

🎯 Security Recommendations

📋 Usage Strategies & Operational Guidelines

🗂️ Written Log System

📅 Calendar Rotation System

🎯 Coordinate Pattern Strategies

📝 Documentation Security

🛡️ Interactive Threat Analysis

Password Configuration:

Select Compromised Components:

Remaining Security:

Threat Assessment:

🔢 Coordinate Selection Entropy

🔐 Password Entropy Breakdown

Deterministic Password Generation
Made Simple