One localStorage key only — Cookie Policy. No tracking.

🔐 SOP-07 — Unique Tool

Zero Transmission Proof Generator

Press F12 → Network → Clear
Generate → verify 0 requests

🔐 securekeygenerator.com — generator

Standard20 chars
Professional24 chars
Journalist32 chars
Air-Gap48 chars
Generate a password →
— bits entropy
Length
20
Characters

// privacy audit — live

real-time network audit
requests_made0
bytes_transmitted0
entropy_sourcecrypto.getRandomValues()
server_contactnone
localStorage_keys1 (skg-ck only)
cookies_set0
fingerprintingnone
analyticsnone
last generation
timestamp
length
pool_size
entropy_bits
threat_modelstandard
verification
Press F12 → Network → Clear
then generate to independently verify zero requests.
The audit panel cannot lie — the Network tab can't either.
// Why Secure Key Generator

Privacy by verification, not by promise

Every security claim on this site can be independently verified in your browser. No trust required.

🔬

Live network audit

The audit panel shows real-time request counts and bytes transmitted. Open DevTools to cross-reference — both will show zero during generation.

🎯

Threat model presets

Four presets from Standard (20 chars) to Air-Gap (48 chars), calibrated to realistic attack scenarios for each audience tier.

🔒

CSPRNG only

Exclusively uses crypto.getRandomValues() — the W3C Web Cryptography API backed by OS hardware entropy. Never Math.random().

🌍

Works on Tor Browser

Designed to function at Security Level Standard and Safer on Tor Browser. JavaScript required — no WebRTC or canvas fingerprinting.

// Standards Alignment

Compliance and standards reference

All presets exceed the requirements of every listed framework. Sources: NIST, NCSC, OWASP, CISA, EFF.

Framework / GuidanceMin LengthEntropy SourceRotationSKG Compliance
NIST SP 800-63B 202515 charsCSPRNG requiredSHALL NOT (prohibited)✓ Standard (20+)
NIST SP 800-90AApproved DRBG✓ crypto.getRandomValues()
NCSC Password GuidanceNo minimumMachine-generated preferredOn compromise only✓ All presets
OWASP Cryptographic StorageOS CSPRNG required✓ OS entropy source
CISA Secure by DesignSecure defaults✓ Zero-transmission default
EFF Surveillance Self-Defence6+ Diceware wordsPhysical or CSPRNGOn compromise✓ Journalist (32 chars ≈ 7+ words)
Freedom of the Press FoundationStrong randomCSPRNG or physical diceOn compromise✓ All presets with verification
// The Reality

Why privacy-first generation matters

81%
of breaches involve weak or stolen credentials
Verizon DBIR 2025
14B+
compromised passwords in breach databases
HaveIBeenPwned 2026
0
network requests made during generation — verifiable in DevTools
securekeygenerator.com
131
bits entropy — Standard preset (20 chars, full ASCII pool)
H = L × log₂(N)
// Recommended Tools

Privacy-respecting security tools

Affiliate disclosure: Some links earn commission at no cost to you. Only tools meeting our privacy standards are included. Full disclosure →

🗝️ KeePassXC (Local Only)

Open-source password manager with no cloud component. Database stays on your device. Zero metadata transmitted to any third party. Recommended for Tier 3+ users.

Download Free →

📡 Bitwarden (Self-Hosted)

Open-source, independently audited. Self-host on your own infrastructure for complete control over metadata. Cloud tier available for lower-threat users.

Get Bitwarden →

🛡️ YubiKey (Hardware 2FA)

FIDO2/WebAuthn hardware security key. Phishing-resistant — cannot authenticate on a fake site. Recommended by NCSC, EFF, and Freedom of the Press Foundation for high-threat users.

Shop YubiKey →
// About

Written by privacy researchers

The research and tools on this site are written by AY Tanoli, a privacy researcher and security consultant who has trained journalists, activists, and human rights workers in operational security across Europe, Southeast Asia, and the MENA region. Dr. Chen's work draws from EFF Surveillance Self-Defence, Freedom of the Press Foundation training materials, and NCSC guidance.

All technical claims are sourced from primary documents. The tool itself can be verified without trusting any claim — open DevTools and watch the network activity during generation.

About AY Tanoli →
// trust.verify()
zero_transmissionVerifiable in DevTools — not a claim, a proof.
csprng_sourcecrypto.getRandomValues() — OS hardware entropy.
no_analyticsZero tracking. Zero fingerprinting. Zero telemetry.
tor_compatibleWorks on Tor Browser at Standard and Safer levels.
uk_operatedKokal Operations Ltd, England & Wales, GDPR.

// portfolio

Specialist password tools for every audience and threat model.

bestpasswordgenerator.orgStrength visualiser 🌿freestrongpassword.comBeginner wizard instantpasswordgenerator.orgIT bulk generator 🔑ironvaultkeys.comEnterprise compliance 🔧randompasswordtool.comAPI simulator 🏦titanpasswords.comBanking-grade 👨‍👩‍👧safepassbuilder.comFamily safety 🛡️trustypassword.comAnti-phishing
// FAQ

Frequently asked questions

Open DevTools (F12), go to Network, clear entries, generate a password. You will see zero requests. The live audit panel also confirms this in real time. The password is generated by crypto.getRandomValues() in your browser only.
Standard (20 chars) for general accounts. Professional (24 chars) for business credentials and targeted attack risk. Journalist (32 chars) for high-threat users including journalists and activists. Air-Gap (48 chars) for credentials used on air-gapped systems or the highest-threat environments.
crypto.getRandomValues() from the W3C Web Cryptography API — backed by the OS CSPRNG. On Linux: /dev/urandom. On macOS: Fortuna. On Windows: CNG. This is the same entropy source used by security-critical applications and HSMs.
Yes. The generator works on Tor Browser at Security Level Standard and Safer. JavaScript must be enabled. The tool makes no requests that would reveal your identity — it loads once, then operates entirely client-side. For maximum privacy, load the page, disconnect from the network, generate your credential, then reconnect.
Yes — use the Journalist (32 chars) or Air-Gap (48 chars) preset. PGP passphrases should be memorised rather than stored in a cloud-synced manager. Verify zero-transmission via DevTools before generating. See our PGP passphrase guide →
Real-time counts of: network requests made, bytes transmitted, localStorage keys present, entropy source used, and cookie count. It updates live as you interact. A zero-transmission session shows 0 requests and 0 bytes transmitted at all times.
The NCSC recommends machine-generated random passwords stored in a password manager. The NCSC explicitly discourages mandatory periodic rotation without evidence of compromise. All presets align with NCSC length and randomness guidance. The tool's zero-transmission design goes beyond NCSC requirements by eliminating the server as a potential data point entirely.
crypto.getRandomValues() meets NIST SP 800-90A approved DRBG seeding requirements. 20+ character passwords exceed NIST SP 800-63B 2025 minimums and NCSC guidance. The privacy-by-design architecture aligns with CISA Secure by Design principles and UK ICO data minimisation guidance under UK GDPR.
For high-threat users, 32 characters provides a larger margin against future computing advances. At 20 characters the password is already computationally infeasible to crack — 32 ensures this remains true even with significant hardware improvements. The additional length costs nothing in a generated credential.
No. HTTPS encrypts transmission but the server still knows what was generated. The operator can log, sell, or be legally compelled to disclose generated passwords. Only client-side generation — verifiable via the Network tab — eliminates this risk. See our guide: zero-knowledge generation →
// Research

Privacy & security research

All research →