About Passkey
A simple tool built around one idea: your passwords should never touch a server.
How it works
Every password is generated entirely in your browser using crypto.getRandomValues() — the Web Cryptography API built into every modern browser. This is the same source of randomness your browser uses when establishing a secure HTTPS connection.
No request is made to any server. No analytics, no logging, no tracking. The page loads once and works entirely offline after that. You can save it to your desktop and open it with no internet connection.
Password vs. passphrase
Both are strong, but they work differently. A password draws from a large character set (95 printable ASCII characters) to pack maximum entropy into a short string. A passphrase chains random dictionary words — longer, easier to type, and easier to remember, with entropy that grows with each word added.
A 4-word passphrase from a 600-word dictionary gives ~36 bits of entropy. A 16-character password with all character types gives ~105 bits. For most accounts, either is more than sufficient; the best password is one you'll actually use correctly.
What makes a password strong?
Strength comes from entropy — how many possible values an attacker would need to try. Length matters more than complexity: a 20-character lowercase-only password is harder to crack than a 10-character password with symbols. Adding character types helps, but adding length helps more.
The strength meter on Passkey shows entropy in four bands, calculated from your settings, not from common patterns or word lists.
Should I use a password manager?
Yes. Passkey is a generator, not a vault. Use it alongside a password manager like Bitwarden (open source, free), 1Password, or your browser's built-in manager. Generate a strong password here, copy it, save it in your manager.
Is my password sent to your server?
+
No. Passwords are generated in your browser using the Web Cryptography API. No network request is made at any point during generation. You can verify this by opening your browser's network inspector while using the tool.
How random is "cryptographically random"?
+
crypto.getRandomValues() draws from your operating system's entropy pool — the same source used to generate TLS session keys. It is not predictable from prior outputs and is suitable for cryptographic use. This is fundamentally different from Math.random(), which many sites use and which is not cryptographically secure.
What's the difference between a password and a passphrase?
+
A password is a short string of random characters — hard to guess, hard to read, hard to type. A passphrase is a sequence of random words — longer in characters but easier to type and remember. Both are generated randomly, so both are strong. Passphrases are particularly useful for master passwords you need to type regularly.
How long should my password be?
+
For most accounts: 16 characters with mixed types is strong today and will remain so for the foreseeable future. For high-value accounts (email, banking, password manager master password): 20+ characters or a 5+ word passphrase. The strength meter on the generator shows the entropy of your current settings.
Why do you skip ambiguous characters?
+
Characters like 0 (zero) and O (capital o), or l (lowercase L) and I (capital i) and 1 (one) are visually identical in many fonts. If you ever need to read a password aloud or type it manually, these create errors. Enabling "skip ambiguous characters" removes them from the pool so every character is unambiguous — at a small entropy cost.
Does Passkey work offline?
+
After the first load, yes. All generation logic runs locally. If you save the page files to your computer, it works with no internet connection at all. The only external resource is the Inter and JetBrains Mono fonts loaded from Google Fonts — those load from cache after the first visit.
Can I use Passkey on mobile?
+
Yes. The site is responsive and works on any modern mobile browser. The Web Cryptography API is fully supported on iOS Safari and Android Chrome.