Good for most accounts. Mix of uppercase, lowercase, digits and symbols.

High-entropy passwords for sensitive accounts, master passwords and secrets.

Each word capitalized, separated by dashes, with a 2-digit number appended.

Raw hex-encoded random bytes. Universally supported, easy to inspect.

URL-safe Base64 — replaces +/= with -_ with no padding. Safe in URLs, headers and JSON without escaping.

No ambiguous characters (0 O l I). Used by Bitcoin, IPFS and Stripe.

Letters and digits only — no symbols. Safe in any context without escaping.

HMAC-SHA256. Minimum recommended secret length. Suitable for most applications.

HMAC-SHA384. Stronger than HS256 with negligible performance difference.

Sufficient for most use cases. Fast on all hardware including devices without AES-NI.

Uncommon in practice but required by certain compliance standards (e.g. some NIST profiles).

The industry standard. Recommended for all new applications and long-term data protection.

Modern stream cipher. Preferred over AES on devices without hardware acceleration (e.g. mobile, IoT).

Randomly generated UUID. The standard choice for unique identifiers — universally supported across all databases and languages.

Like UUID v4 but with a millisecond timestamp prefix — monotonically sortable and index-friendly as a database primary key.

The recommended size per RFC 6238. Compatible with all TOTP apps. Pass this to your otpauth:// URI or QR code generator.

Higher entropy seed for use with TOTP-SHA256 or TOTP-SHA512 where supported. Check your library's documentation before using.

Public identifier for the OAuth client. Safe to expose in client-side code and redirect URIs.

Keep this server-side only. Never expose in client code, logs or version control.