Password Generator
Cryptographically secure passwords generated entirely in your browser.
Safe Password
16 charsGood for most accounts. Mix of uppercase, lowercase, digits and symbols.
Strong Password
32 charsHigh-entropy passwords for sensitive accounts, master passwords and secrets.
Database Password
32 chars · connection-string safeExcludes characters that break connection strings: ' " ; \ space
Passphrase Generator
Random words combined into a phrase that's easy to remember, hard to crack.
Passphrase
4 words · with numberEach word capitalized, separated by dashes, with a 2-digit number appended.
API Key Generator
Cryptographically secure API keys in every common format.
Hex
256-bit · 64 charsRaw hex-encoded random bytes. Universally supported, easy to inspect.
Base64
256-bit · 32 bytesURL-safe Base64 — replaces +/= with -_ with no padding. Safe in URLs, headers and JSON without escaping.
Base58
256-bit · ~44 charsNo ambiguous characters (0 O l I). Used by Bitcoin, IPFS and Stripe.
Alphanumeric
256-bit · 43 charsLetters and digits only — no symbols. Safe in any context without escaping.
Prefixed Key
custom prefix · 256-bitAdd a prefix like sk_live_ or pk_test_ to any format.
JWT Secret Generator
Secure HMAC signing secrets for HS256, HS384 and HS512 — URL-safe Base64 encoded.
HS256
256-bit · 32 bytes · 43 charsHMAC-SHA256. Minimum recommended secret length. Suitable for most applications.
HS384
384-bit · 48 bytes · 64 charsHMAC-SHA384. Stronger than HS256 with negligible performance difference.
HS512
512-bit · 64 bytes · 86 charsHMAC-SHA512. Maximum strength HMAC secret. Recommended for high-security tokens and long-lived credentials.
Encryption Key Generator
Symmetric encryption keys and IVs/nonces, hex-encoded and ready to use.
AES-128
128-bit · 16 bytes · 32 hex charsSufficient for most use cases. Fast on all hardware including devices without AES-NI.
AES-192
192-bit · 24 bytes · 48 hex charsUncommon in practice but required by certain compliance standards (e.g. some NIST profiles).
AES-256
256-bit · 32 bytes · 64 hex charsThe industry standard. Recommended for all new applications and long-term data protection.
ChaCha20
256-bit · 32 bytes · 64 hex charsModern stream cipher. Preferred over AES on devices without hardware acceleration (e.g. mobile, IoT).
IV / Nonce
AES-GCM Nonce
96-bit · 12 bytes · 24 hex charsStandard nonce size for AES-GCM. Must be unique per encryption with a given key — never reuse.
AES-CBC IV
128-bit · 16 bytes · 32 hex charsInitialisation vector for AES-CBC mode. Must be random and unpredictable for each message.
ChaCha20 Nonce
96-bit · 12 bytes · 24 hex charsNonce for ChaCha20-Poly1305. Like AES-GCM, uniqueness per key is critical to security.
NanoId & UUID
Modern random identifiers — compact, URL-safe and time-sortable.
UUID v4
128-bit · RFC 4122Randomly generated UUID. The standard choice for unique identifiers — universally supported across all databases and languages.
UUID v7
128-bit · time-ordered · RFC 9562Like UUID v4 but with a millisecond timestamp prefix — monotonically sortable and index-friendly as a database primary key.
NanoID
21 chars · URL-safeThe modern alternative to UUID. Uses A-Za-z0-9_- — safe in URLs, filenames and HTML attributes without encoding.
TOTP / 2FA Secret
Base32-encoded seeds for Google Authenticator, Authy and any RFC 6238 TOTP app.
TOTP Secret (160-bit)
20 bytes · RFC 6238 standardThe recommended size per RFC 6238. Compatible with all TOTP apps. Pass this to your otpauth:// URI or QR code generator.
TOTP Secret (256-bit)
32 bytes · higher entropyHigher entropy seed for use with TOTP-SHA256 or TOTP-SHA512 where supported. Check your library's documentation before using.
OAuth Credentials
Matched client ID and secret pairs — each row across both columns is a single credential pair.
Client ID
32 chars · alphanumericPublic identifier for the OAuth client. Safe to expose in client-side code and redirect URIs.
Client Secret
256-bit · 64 hex charsKeep this server-side only. Never expose in client code, logs or version control.
Hashing Salts
Random salts for password hashing algorithms — hex-encoded and ready to use.
bcrypt
128-bit · 16 bytes · 32 hexFor implementations requiring an explicit salt. Most bcrypt libraries generate this automatically — check yours before using.
Argon2
128-bit · 16 bytes · 32 hexRecommended minimum salt for Argon2i and Argon2id. Pass directly to your Argon2 hashing call as the salt parameter.
PBKDF2
256-bit · 32 bytes · 64 hexRecommended salt length for PBKDF2-SHA256 and PBKDF2-SHA512 per NIST SP 800-132.
About RandomKeys.net
What this tool is, how it works, and why it's built the way it is.
RandomKeys.net is a free tool for generating secure passwords, keys, and secrets — directly in your browser. Nothing you generate ever leaves your device. There's no server processing your requests, no account needed, and nothing is logged. You generate it, you copy it, and that's the end of it.
Why does it matter that it's client-side?
Most online generators work by asking a server to create a value and send it back to you. That means the server knows what was generated — and if that server's logs are ever exposed, so are your keys.
RandomKeys.net doesn't work that way. Your browser generates everything locally, using built-in cryptographic functions that come with every modern browser. The server only delivers the webpage — after that, it's completely out of the picture.
Is it actually random?
Yes — and specifically, it's cryptographically random, which is the kind that matters for security.
Normal random number generators (like the ones used in games or simulations) follow predictable patterns if you know enough about their starting state. That's fine for rolling dice in a game, but completely unsuitable for passwords and keys.
Every value on this site is generated using your browser's crypto API, which draws randomness from your operating system's entropy pool — the same source your computer uses for things like generating TLS certificates and SSH keys. It cannot be predicted or reverse-engineered.
The tools
Password Generator
Three password profiles for different situations:
- Safe (16 characters) — a solid everyday password for web accounts, dashboards, and services. Uses letters, numbers, and symbols.
- Strong (32 characters) — same character set but twice the length. Good for service accounts, shared admin credentials, or anything stored in a password manager.
- Database (32 characters) — same strength as Strong, but strips out characters that tend to break database connection strings and config files: single quotes, double quotes, semicolons, and backslashes. You can paste these straight into a
.envfile without any escaping.
Passphrase Generator
Instead of a random string of characters, a passphrase is a sequence of ordinary words — like Amber-Glacier-Falcon-Rivet-63.
They're easier to remember and type, while still being very hard to guess. A 5-word passphrase from a 1,000-word list has roughly the same security strength as a random 8-character password — but most people find it far less painful to deal with. A number is always appended to satisfy the "must contain a digit" requirement that many systems enforce. You can adjust the word count using the slider.
API Key Generator
Generates 256-bit random keys in four different formats — same underlying randomness, different encoding:
- Hex — plain hexadecimal. Long but completely unambiguous. Good for config files and environment variables.
- Base64 URL-safe — a shorter encoding that's safe to use in URLs and HTTP headers without any special escaping.
- Base58 — avoids characters that look similar to each other (
0vsO,1vsl). Useful anywhere a human might need to read or type the key. - Alphanumeric — letters and numbers only, no symbols. Works in any system that doesn't handle special characters well.
You can also add a custom prefix — like sk_ or pk_live_ — which is useful for identifying key types at a glance.
JWT Secret Generator
JSON Web Tokens (JWTs) need a secret key to sign them. This is what proves a token hasn't been tampered with. The three options here — HS256, HS384, and HS512 — correspond to the three HMAC signing algorithms available, with increasing key sizes (32, 48, and 64 bytes respectively).
The secret lives on your server and should never be exposed in client-side code. If someone gets hold of it, they can forge tokens.
Encryption Key Generator
If you need to encrypt data at rest or in transit, you need two things: a key and an IV (Initialisation Vector) or nonce. The key is the secret; the IV ensures that encrypting the same data twice produces different output, so patterns can't be detected. Four algorithm options are available:
- AES-128-GCM — fast and widely supported. Good for internal applications and lower-sensitivity data.
- AES-192 — middle-ground, mostly seen in compliance-heavy environments.
- AES-256-GCM — the current industry standard. Use this unless you have a specific reason not to.
- ChaCha20-Poly1305 — a modern alternative to AES. Often used in mobile apps and on devices where AES hardware acceleration isn't available.
Each generated key comes paired with a matching IV or nonce — ready to use together.
NanoID & UUID Generator
Three formats for generating unique identifiers:
- UUID v4 — the classic. A 128-bit random ID in the familiar
xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxformat. Universally supported and a safe default for most use cases. - UUID v7 — a newer version that includes a timestamp in the ID itself. Because v7 UUIDs sort in the order they were created, they're much friendlier to database indexes than v4's fully random values. Worth using for new projects where database performance matters.
- NanoID — a compact 21-character alternative to UUIDs. URL-safe, shorter, and increasingly popular for IDs that appear in URLs, filenames, or distributed systems.
TOTP / 2FA Secret Generator
When you set up two-factor authentication on a service, the app on your phone (Google Authenticator, Authy, etc.) gets shared a secret key. That's what these are — the seed that both your server and the authenticator app use to generate matching 6-digit codes.
Two sizes are available: 160-bit (the most common, works with all authenticator apps) and 256-bit (stronger, supported by most modern apps). These secrets should be treated like passwords — store them encrypted, never log them, and don't put them in client-side code.
OAuth Credentials Generator
Generates a matched pair of Client ID and Client Secret for OAuth 2.0 server-to-server authentication. The Client ID identifies which application is making the request; the Client Secret proves it's actually that application and not someone pretending.
The Client ID is a clean 32-character alphanumeric string. The Client Secret is a 256-bit random value in hex — strong enough to use as a signing key.
Hashing Salts Generator
When you store a password, you don't store it as-is — you hash it first. A salt is a random value added to the password before hashing, so that two users with the same password end up with completely different hash values in your database. This makes bulk cracking attacks much harder. Three sizes are provided to match standard recommendations:
- bcrypt — 16 bytes
- Argon2 — 16 bytes (the current recommended choice for new systems)
- PBKDF2 — 32 bytes
Privacy
No tracking, no cookies, no personal data collected. Aggregate page-view stats are gathered via Cloudflare Web Analytics — the same Cloudflare that serves the site — which counts visits without identifying individual users. Nothing you generate here is ever transmitted anywhere.