Boltkey

What Boltkey does

Boltkey generates passwords, passphrases, and PINs entirely in your browser using its built-in randomness. Nothing is sent to any server, stored anywhere, or tracked in any way.

How it works

All randomness comes from crypto.getRandomValues(), an unpredictable source built into your browser. It draws randomness from your computer's physical processes -- noise that can't be predicted or reproduced. Boltkey uses rejection sampling to eliminate bias, ensuring every character is uniformly random.

Passphrases use the EFF Diceware word list -- 7,776 words, the standard for generating memorable, high-strength passphrases.

Privacy & data practices

Boltkey collects no user data. There are no data practices to disclose.

• No data is stored -- not in cookies, localStorage, session storage, or IndexedDB
• No data sent to external servers after the page loads
• No analytics, fingerprinting, or tracking scripts of any kind
• No third-party code, no CDN resources, no external requests
• No accounts or settings to manage
• The server logs standard HTTP access logs (IP, timestamp, path) for operational purposes. These are not correlated with any user activity within the app and are rotated automatically

The entire application runs client-side. Your generated passwords exist only in your browser's memory until you navigate away or close the tab. The clipboard is the only place a password goes when you copy it, and that is under your operating system's control, not ours.

Verify it yourself. Open your browser's developer tools, check the Network tab. After the initial page load: zero external requests. Everything stays on your device.

Service presets

Boltkey ships with presets for major services -- Google, Apple, banks, social media -- that auto-configure password rules to match each service's requirements. No more guessing which symbols are allowed or what the maximum length is. Browse all password rules.

These presets are maintained on a best-effort basis. Services change their password rules without notice, and Boltkey may not always reflect the latest requirements. If a generated password is rejected by a service, switch to Custom mode and adjust.

All service names and trademarks mentioned on this site belong to their respective owners. Boltkey is not affiliated with, endorsed by, or sponsored by any of them.

Fine print

Boltkey is a free tool provided as-is, without warranty of any kind. While the generator uses cryptographically secure randomness and displays entropy-based strength estimates, no software can guarantee absolute security. Password strength depends on factors beyond generation -- how you store it, where you use it, whether the service itself has been compromised.

Crack-time estimates assume offline brute-force attacks at 10 billion guesses per second. Real-world security depends on the attacker's resources, the hashing algorithm used by the service, and whether your password appears in known breach databases. Advancements in specialized hardware or AI-assisted cracking may significantly reduce these estimates over time. These numbers are useful comparisons, not promises.

The author and contributors are not liable for any damages arising from the use of this tool. You are responsible for your own password security.