Release v3.0.0 - cryptographic rewrite with async, DI, presets and passphrases
BREAKING CHANGES
- Invalid settings now throw ArgumentException from Next() instead of
returning an error string. Use TryNext(out var password) for a
non-throwing alternative. - Minimum runtime raised to .NET 8 (net8.0 + net10.0). netstandard2.0
is dropped. Consumers on .NET Framework or older runtimes should stay
on the 2.x line.
SECURITY / CORRECTNESS
- Replaced System.Random with CryptoRandomSource backed by
RandomNumberGenerator.GetInt32 — unbiased sampling, no modulo bias. - Replaced GUID-based shuffle with a Fisher–Yates shuffle.
- Empty special-character sets are now validated rather than silently
weakening output.
ADDED
- Async APIs: NextAsync, GenerateAsync.
- Dependency injection: AddPasswordGenerator(...) with fluent code
configuration and appsettings.json binding via IConfiguration. - Presets: ForOwasp, ForNist, ForOtp, ForApiKey, ForEnvironmentName,
ForPassphrase, ForPassphraseWithEntropy, ForMemorable. - Passphrases now use the EFF Large Wordlist (7,776 words, ~12.9 bits/
word); a 6-word phrase is ~77 bits. Optional symbol injection for
policies that require a special character. Optional null separator to
concatenate words without a delimiter. - Entropy estimation: EstimateEntropyBits() on IPasswordGenerator.
- Custom pools: WithCharacters(string), WithAllAscii().
- Quality controls: ExcludeAmbiguous(), RequireAtLeast(CharacterClass, n).
- Batch API: Generate(count) and parameterless Generate() driven by
PasswordOptions.DefaultBatchCount.
PACKAGING
- PackageIcon, PackageReadmeFile, SourceLink, deterministic build,
.snupkg symbol package. - NuGet dependencies: Microsoft.Extensions.DependencyInjection.Abstractions
and Microsoft.Extensions.Configuration.Binder (both 10.0.8).
COMPATIBILITY
The v2 public surface (Next, NextGroup, constructors, IncludeX,
LengthRequired) is unchanged and continues to work, except for the
error-handling breaking change above. See docs/migration-v2-to-v3.md.