Strong Password Generator — Free & Secure
Create strong, random passwords that are virtually impossible to crack. Choose your desired length, character types (uppercase, lowercase, numbers, symbols), and generate as many passwords as you need. Everything happens in your browser — nothing is ever sent to a server.
Tips
Longer is stronger
A 12-character password takes years to crack with modern hardware. A 20-character password would take longer than the age of the universe. Length matters more than complexity.
Use a password manager
You don't need to remember strong passwords — use a password manager like Bitwarden (free), 1Password, or Dashlane to store them securely.
One unique password per account
Never reuse passwords. If one account is breached, attackers try the same password on every other service (credential stuffing). Unique passwords stop this.
Enable 2FA as a second layer
Even the strongest password can be phished. Enable two-factor authentication (2FA) on all important accounts as a second line of defence.
Secret Key Generator
SecurityGenerate secure random keys, API tokens, or passwords.
About this tool
What is the Secret Key Generator?
The Secret Key Generator creates cryptographically random keys, passwords, API tokens, and secrets using your browser's built-in cryptographic random number generator. Choose the length, select which character sets to include, and generate as many keys as you need — instantly, with nothing sent to any server.
How to Use the Generator
- Set the length. Use the slider or input to choose how many characters your key should be.
- Select character sets. Toggle which types of characters to include:
- Uppercase letters (A–Z)
- Lowercase letters (a–z)
- Numbers (0–9)
- Symbols (
!@#$%^&*etc.)
- Generate. A new random key is created immediately. Click Generate again for a different key.
- Copy. Click the Copy button to put the key on your clipboard.
Why Cryptographic Randomness Matters
Not all random is equal. A standard Math.random() call in JavaScript uses a pseudorandom number generator (PRNG) — its output is deterministic and predictable given its seed. Cryptographic randomness (crypto.getRandomValues()) uses entropy from the operating system — hardware events, timing variations, and other unpredictable sources — producing output that is computationally infeasible to predict.
This tool exclusively uses crypto.getRandomValues(). For passwords, API keys, session tokens, and anything that needs to be genuinely secret, this is the correct approach.
Recommended Key Lengths by Use Case
| Use case | Recommended length | Notes |
|---|---|---|
| Website passwords | 16–20 characters | Use a password manager to store |
| API keys | 32–64 characters | Alphanumeric or hex format |
| JWT secrets (HS256) | 32+ characters | Minimum 256 bits of entropy |
| JWT secrets (HS512) | 64+ characters | Minimum 512 bits of entropy |
| Session tokens | 32 characters | Random, not predictable |
| Encryption keys | 32 or 64 characters | Match key size to algorithm |
| CSRF tokens | 16–32 characters | Single-use per form |
Character Set Considerations
Alphanumeric only (A–Z, a–z, 0–9) — URL-safe, compatible with most APIs and systems that don't accept special characters. Slightly lower entropy per character than full character sets.
Including symbols — increases entropy per character, producing stronger keys at the same length. Some systems restrict which symbols are valid; check before using.
Hex (0–9, a–f) — commonly used for API keys and cryptographic keys because hex encodes cleanly without special characters. A 64-character hex string represents 32 bytes (256 bits) of entropy.
Base64 — encodes 6 bits per character, more compact than hex. Used in JWTs, encoded credentials, and some API authentication schemes.
Privacy
Key generation happens entirely in your browser using the Web Crypto API. No keys, settings, or usage data are sent to any server or stored anywhere. Close the tab and the generated keys are gone.
Discussion
Join the discussion
Sign in to share your thoughts and engage with the community.