Password Tool

Choose country, region and language

Switching language will not change or regenerate your current passwords.

Americas

Europe, Middle East & Africa

Asia & Pacific

Regional & Worldwide

60 country, region and worldwide versions · Search local and English names RTL: עברית / العربية · passwords remain LTR

Jwt Secret Generator

Generate a 64-character URL-safe JWT signing secret locally and learn how HMAC key length, environment variables, secret managers, and key rotation affect deployment security.

Generated locally · never uploaded or saved

Generated passwords

Default 10 characters · 10 passwords · uppercase + lowercase + numbers

Transparent local analysis

Randomness and character distribution

This chart summarizes the current generated batch without exposing its password text. A small sample cannot prove random-number quality.

Randomness and character distribution
Sample size0
Theoretical entropy ceiling
Uppercase0
Lowercase0
Numbers0
Symbols0
Repeated passphrase words0

The ceiling assumes the selected generator model is uniform. It is not a guarantee for a reused, human-chosen, or exposed password.

Local security workspace

Session-only generation history and export

This panel keeps only batch metadata in session storage. Password text stays in memory and is exported only if you explicitly choose it.

Warning: exported files may contain sensitive passwords. Save them only in a trusted location.

Recent local batches

Recent local batches
TimeModeCountLengthEntropy

Generate a password batch to see local metadata here.

Local security check

Password crack time estimator

See how common words, patterns, and length affect an estimated attack time.

Evaluated only in this browser. Never uploaded, logged, or saved.

Estimated time · offline fast hash (10 billion guesses/second)

Enter a password to estimate

Compare four attack scenarios
Online, rate limited (100/hour)
Online, no rate limit (10/second)
Offline, slow hash (10,000/second)
Offline, fast hash (10 billion/second)

Estimate only—not a guarantee. Actual time depends on password storage, hashing cost, attacker hardware, and whether the password is reused or exposed.

About this generator

This preset creates a URL-safe high-entropy value for HMAC JWT signing. It is a developer secret, not a user password, and it never leaves this browser.

This preset starts with url-safe mode and generates 10 independent results at a time. Every visible setting remains adjustable, and generated values are not sent to PwdGen.

When to use it

  • Creating a new credential for this specific use case
  • Replacing a reused or weak password
  • Generating values locally before secure storage

Alphabet size, entropy, and brute-force assumptions

The theoretical entropy ceiling is calculated as H = L × log2(A), where L is the generated length and A is the number of currently permitted characters.

LengthAlphabetSearch spaceEntropy ceilingAverage at 10 billion guesses/s
64646464384.0 bits6.24e97 years

Important: these are mathematical estimates for uniformly random values. Required positions, restricted counts, repeated passwords, dictionary patterns, leaked credentials, and real password-hashing costs can change the result substantially. The figure is not a security guarantee.

JWT signing-secret deployment guidance

For HS256, use at least 256 bits of uniformly random key material. HS384 and HS512 use different SHA-2 output sizes, but choosing a longer algorithm does not repair weak verification, leaked keys, or algorithm-confusion bugs.

Equivalent terminal and Node.js generation

openssl rand -hex 32
import { randomBytes } from 'node:crypto';

const jwtSecret = randomBytes(32).toString('hex');

Storage and rotation

  • Keep signing keys out of Git, frontend bundles, URLs, analytics, and application logs.
  • Use a secret manager, Vault, KMS, or protected environment variable.
  • Use a controlled kid strategy when rotating keys.
  • Choose RS256 or ES256 when verifiers should hold only a public key.

Hex, Base64, and Base64URL are encodings—not encryption. The security comes from the random bytes and how the signing key is protected.

How to use the result safely

  1. Check the destination’s current password rules
  2. Use a unique result and enable MFA where available
  3. Store recovery codes separately from the password
Important limitation: A generated value cannot fix algorithm confusion, client-side key exposure, weak verification, or unsafe secret distribution. Prefer managed keys and asymmetric signing when the architecture requires it.

Generation and privacy method

The preset uses the browser Web Crypto API for random selection. Regenerating, changing settings, selecting, and copying results do not send generated credentials to PwdGen. The password crack-time estimator also runs locally and is an estimate, not a guarantee.

Jwt Secret Generator FAQ

How long should an HS256 JWT secret be?

Use at least 256 bits of uniformly random key material for HS256. This page generates a 64-character Base64URL-alphabet value, which provides a larger theoretical search space when generated uniformly.

Should a JWT secret be stored in an environment variable?

An environment variable is safer than source code but can still leak through process inspection, logs, or deployment tooling. A managed secret store or KMS is preferable for production systems.

When should I use RS256 or ES256 instead of HMAC?

Use asymmetric signing when verifiers should not possess the private signing key or when multiple services need public-key verification. Protect the private key and rotate keys with a controlled key identifier strategy.