Skip to content
ToolFarmToolFarm
Developer

Secure Password Generator

Generate secure passwords, passphrases, PINs, API keys and openssl rand style secrets online. Cryptographically random, never sent to a server.

4 min read
Presets

No value yet. Press Regenerate.

StrengthVery strong
206 bits of entropy

This is an estimate based on random generation, not on whether a leaked password has been reused.

Generated locally in your browser. Nothing is sent to our servers, logged or stored.

Length32

What this tool does

Generate strong passwords, passphrases, PINs and technical secrets like API keys and JWT secrets, all in your browser. Every value comes from the Web Crypto API (crypto.getRandomValues), the same kind of cryptographically secure source openssl rand uses, never from Math.random. Nothing is sent to our servers, logged or stored.

Working with tokens? Pair this with the UUID generator for opaque identifiers, or decode a key with the Base64 encoder.

What you can use it for

  • Generate a strong master password for a new account, then store it in your password manager.
  • Create a JWT signing secret or API key with the right number of random bytes for your backend.
  • Produce an openssl rand style base64 or hex secret without leaving the browser or opening a terminal.
  • Build a memorable passphrase of several random words for a device or disk you unlock by hand.

How to use it

  1. Pick a mode: password, passphrase, random secret, PIN or token. Or click a preset to set everything at once.
  2. Adjust the length, character sets or byte count. The strength panel updates as you change options.
  3. Copy the result, or open the advanced panel to generate a batch of several values at once.
  4. For technical secrets, read the OpenSSL equivalent block to see the matching openssl rand command.

Everything runs inside your browser. No file is uploaded to any server. See more tools in this field.

Everything this generator covers

One generator, many jobs. Each mode below targets a specific kind of secret. Use the presets to jump straight to the right configuration, or open its focused page for more detail.

OpenSSL Rand Generator

openssl rand outputs cryptographically secure random bytes and encodes them as raw, hex or base64. Developers reach for it to mint keys, salts and tokens from the command line. In the browser the exact equivalent is crypto.getRandomValues, which this tool uses. Base64 is compact, hex is easy to read, and both carry the same entropy for the same byte count.

openssl rand -base64 32
openssl rand -hex 32
  • Use 32 bytes (256 bits) as a strong default for most secrets.
  • Base64 and hex differ in length, not in security.
  • Reach for base64url when the value goes into a URL or header.
OpenSSL Rand Generator

JWT Secret Generator

A JWT signing secret is the key that an HMAC algorithm such as HS256 uses to sign and verify tokens. If it is weak or guessable, anyone can forge valid tokens. Generate a long random secret, keep it server side and rotate it if it is ever exposed.

  • For HS256 use at least 32 bytes, and 64 bytes is a comfortable choice.
  • Never commit the secret to source control or ship it to the client.
  • Rotate the secret on suspected exposure and invalidate old tokens.
JWT Secret Generator

API Key Generator

API keys authenticate a client to a service. They should be long, random and opaque, with no structure an attacker can predict. Base64URL keeps them compact and safe to place in headers or URLs.

  • 32 bytes (256 bits) of entropy is a strong, common default.
  • Store only a hash of the key, compare it on each request.
  • Prefix keys so they are easy to identify and revoke.
API Key Generator

Secure Token Generator

Session tokens, password reset links, email verification and recovery codes all rely on unguessable random values. Short lived, single use tokens limit the damage if one leaks. Generate them from a CSPRNG and tie them to an expiry.

  • Use at least 16 bytes for short lived tokens, 32 for anything sensitive.
  • Make reset and verification tokens single use and time limited.
  • Store tokens hashed, never in plain text.
Random Token Generator

Passphrase Generator

A passphrase strings together several random words, an idea popularized by Diceware. It is far easier to remember and type than a random character string of the same strength, which makes it ideal for master passwords and disk encryption.

  • Use 5 or more random words for a strong, memorable secret.
  • Each word from a 256 word list adds 8 bits of entropy.
  • Add a number or symbol only if a policy demands it.
Passphrase Generator

PIN Generator

A numeric PIN is convenient for device unlocks, temporary codes and MFA backup entry, but its small alphabet makes it weak for anything important. A 6 digit PIN has only a million combinations, so treat PINs as a secondary factor, not a master secret.

  • Prefer 6 digits or more, and avoid dates or repeated patterns.
  • A PIN is fine as a second factor, not as a main password.
  • Rate limit and lock out attempts wherever a PIN guards access.
PIN Generator

Every generator below is the same local, Web Crypto powered tool, preset for a different job. Nothing you generate leaves your browser.

Other tools people reach for in the same flow.

Developer
Developer

UUID Generator and Validator

Generate, validate and convert UUIDs online: v4, v5, v7, NIL and MAX. Instant and free, in your browser, no upload to any server.

Developer

Base64 Encoder and Decoder

Encode and decode Base64 text online, with an optional URL-safe alphabet. Runs in your browser, nothing is uploaded to a server.

Developer

JWT Decoder: Read Token Payload

Decode the header and payload of a JSON Web Token online. No signature verification, free and in your browser, nothing leaves your device.

Popular
Developer

Regex Tester and Debugger

Test and debug regular expressions online in real time, with capture groups and live match highlighting. Free and in your browser, no upload.

Frequently asked questions

Is this password generator safe?

Yes. Every value is generated locally in your browser with the Web Crypto API (crypto.getRandomValues), a cryptographically secure random source. Nothing is ever sent to our servers, logged or stored.

What is openssl rand?

openssl rand is an OpenSSL command that outputs cryptographically secure random bytes. You choose how many bytes and how to encode them, for example openssl rand -base64 32 or openssl rand -hex 32. This tool reproduces it in the browser.

Is Web Crypto as secure as openssl rand?

For generating random secrets, yes. Both draw from a cryptographically secure pseudo random number generator seeded by the operating system. crypto.getRandomValues is the browser standard for exactly this purpose.

How many bytes should a JWT secret have?

For HS256 a secret of at least 32 bytes (256 bits) is recommended, matching the SHA-256 output. 32 to 64 bytes is a common and safe range. Use a fully random secret, not a dictionary word.

How many bits of entropy does an API key need?

128 bits is the usual floor and 256 bits is comfortable. A 32 byte random key carries 256 bits of entropy, far beyond brute force reach, so 32 bytes encoded as base64url is a solid default.

Password or passphrase, which should I use?

For accounts in a password manager, a 20 to 32 character random password is excellent. If you must type or memorize it, a passphrase of 5 or more random words is easier to handle and can carry the same entropy.

Is Base64 more secure than Hex?

No. They are just encodings of the same random bytes, so the security is identical for the same byte count. Base64 is more compact, hex is easier to read. Pick whichever your system expects.

What is Base64URL?

Base64URL is a URL and filename safe variant of base64. It replaces + with - and / with _ and usually drops the = padding, so the value can sit in a URL, header or JWT without escaping.

How long should a recovery code be?

Recovery codes are typically shown as readable groups carrying around 40 to 80 bits each, generated as a batch of single use codes. Length matters less than them being random, single use and stored hashed on the server.

Why shouldn't I use Math.random()?

Math.random is a fast pseudo random generator that is predictable and not designed for security. If an attacker recovers part of its internal state they can predict future output. Secrets need a CSPRNG such as crypto.getRandomValues.

Can generated secrets be recovered?

No. Generation happens entirely on your device and nothing is transmitted or persisted, so once you close or clear the page the value is gone. Save what you need before leaving.

Are generated passwords stored anywhere?

No. There is no server call, no logging and no localStorage. The optional history list lives only in memory for the current session and disappears on reload.

How is the strength estimate calculated?

It is an entropy estimate in bits based on how the value is generated: length times log2 of the character set size for passwords, words times log2 of the wordlist size for passphrases, and bytes times 8 for raw secrets. It does not check whether a password has leaked.

What does exclude ambiguous characters do?

It removes glyphs that are easy to confuse when read or typed, such as 0 and O, or 1, l and I. It slightly lowers the character set size but makes a password safer to transcribe by hand.

Can I generate many secrets at once?

Yes. Open the advanced panel and pick a batch size of 5, 10, 25 or 50. You can copy them all or download them as a .txt file, still entirely in your browser.

Secure Password Generator · ToolFarm