Passwords for VS Code

Generate and validate secrets without leaving your editor. Local generation, optional Have I Been Pwned checks, and PrivateNote sharing.

How to install

Search for "Passwords" in the VS Code Marketplace, or install from the terminal:

Open VS Code Marketplace

Prefer the terminal?

code --install-extension passwordslu.passwords-lu-generator
Passwords VS Code extension sidebar panel with password generator, strength and breach badges, and copy actions
The sidebar panel — pick a type, adjust options, and act on the result in one place.

Why we built this

You are already in VS Code configuring an API key, spinning up a test account, or pasting a database password into an env file. Switching to a browser tab for that breaks flow — and it is easy to reuse something weak when you are in a hurry.

passwords.lu already runs entirely in your browser — nothing is stored, and generation stays on your device. The extension is the same idea, moved into the place where many secrets actually get used: the editor.

The panel is designed for small, frequent tasks: a fresh API key before you commit, a passphrase for a local vault, a quick breach check on text you just selected. No accounts, no cloud sync — just generators and checks when you need them.

Quick start

After install, you can ignore everything else until you need a secret.

  1. Open the panel

    In the Activity Bar (left sidebar), click the Passwords icon. The generator panel opens with Password selected and a new secret already generated.

  2. Pick what you need

    Switch tabs for passphrase, PIN, API key, or username. Options update per type — length, character sets, word count, and more.

  3. Use the result

    Copy is the primary action. You can also insert at the cursor, regenerate, or open PrivateNote when you need to hand the secret to someone else.

  4. Go faster with the palette

    Press Cmd/Ctrl+Shift+P and type Passwords for one-shot generate-and-copy commands, or to check selected text or the clipboard.

What it does

Everything runs locally unless you explicitly turn on breach checking.

  • Sidebar generators. Five secret types in one panel, with live output and badges for strength and breach status.
  • Palette shortcuts. Generate, copy, insert, and analyze without touching the panel — useful when your hands are already on the keyboard.
  • Local strength scoring. zxcvbn runs on your machine. No network call, no upload — just a readable label like “Very strong”.
  • Optional breach lookup. Have I Been Pwned via k-anonymity: only a hash prefix leaves your device, never the password itself.

Command palette reference

All commands live under the Passwords category. These are the ones you will reach for most often.

Generate

Interactive pickers and direct shortcuts using your workspace defaults.

CommandWhat it does
Passwords: Generate…Choose a type, then copy, insert, share, or regenerate
Passwords: Generate and Copy…Choose a type and copy immediately
Passwords: Generate PasswordPassword with your default length and character rules
Passwords: Generate PassphraseEFF long wordlist passphrase
Passwords: Generate PINNumeric PIN
Passwords: Generate API KeyBase64url, hex, or alphanumeric with prefix
Passwords: Generate UsernameAdjective+noun or random string

Analyze

Check text you already have — useful for reviewing env files or pasted credentials.

CommandWhat it does
Passwords: Check Selection StrengthLocal zxcvbn score on selected text
Passwords: Check Selection for BreachesHIBP k-anonymity check on selected text
Passwords: Check Clipboard for BreachesHIBP check on clipboard contents

Panel

CommandWhat it does
Passwords: Open PanelFocus the Passwords sidebar

Customize defaults

Open Settings → Extensions → Passwords to set workspace-wide defaults.

  • passwords-lu.passwordLength — default 20. Default password length
  • passwords-lu.passphraseWords — default 5. Words in generated passphrases
  • passwords-lu.pinLength — default 6. Digits in generated PINs
  • passwords-lu.apiKeyPrefix — default sk_. Prefix prepended to API keys
  • passwords-lu.usernameMode — default composite. composite (adjective+noun) or random
  • passwords-lu.breachCheckEnabled — default false. Auto-check passwords and passphrases against HIBP after generation

Local and private

The extension follows the same privacy model as passwords.lu — your secrets are not our product.

  • Generation stays on your machine. Randomness comes from Node crypto. Nothing is logged or sent to passwords.lu.
  • Strength checks are offline. zxcvbn analysis never touches the network.
  • Breach checks use k-anonymity. When enabled, only the first five characters of a SHA-1 hash go to Have I Been Pwned — not your password in plain text.
  • Share opens PrivateNote in the browser. The secret travels in the URL hash fragment, not in server logs.

Go further

Ready to try it?

Install from the Marketplace and keep the next secret inside your workflow.