Generate a
32-character
password

For credentials that machines use, not humans. API keys, database passwords in app configs, server-to-server authentication tokens, CI/CD secrets — these are never typed by hand. At 32 characters, you're generating a credential with the same mathematical strength as a cryptographic key, which is exactly what it is.

Mathematically yes — 64 characters is vastly larger than 32 in terms of search space. Practically, both exceed any known or theoretical cracking ability by an enormous margin. The difference matters for very long-lived secrets and in environments where you're modelling against future quantum or algorithmic advances.

Functionally, very little. An API key is typically a cryptographically random string of 32-64 characters — which is exactly what our generator produces. The difference is usually in formatting (API keys often use Base64 or hex encoding) and in how they're managed (API keys are issued by the service; passwords are chosen by the user).

Yes, for any account that supports it — and most modern sites do. Your password manager will handle the autofill transparently, so the length is invisible to you in daily use. Using 32 characters for high-value accounts like your email or banking is a perfectly reasonable choice.

We use the Web Crypto API's crypto.getRandomValues() function — the same source of randomness used to generate TLS session keys in your browser. This is a CSPRNG (Cryptographically Secure Pseudorandom Number Generator) seeded by your OS's entropy pool, which is continuously fed by hardware events. It's as random as anything short of a hardware random number generator.