Is PGP Tool safe to use?

Yes. PGP Tool runs 100% in your browser — no data is ever sent to a server. All encryption and decryption happens client-side using openpgp.js. The code is open source under MIT license.

Can I use PGP Tool offline?

Yes. PGP Tool is a Progressive Web App (PWA) that works fully offline once installed. Enable air-gap mode to disable all network requests for maximum security.

What encryption algorithms does PGP Tool support?

PGP Tool supports RSA (2048–4096 bit) and ECC (Curve25519, P-384) for PGP key generation, AES-256-GCM for symmetric encryption and secure paste, and PBKDF2 with SHA-256 for key derivation.

How does the password generator work?

The password generator uses the browser's crypto.getRandomValues() API for cryptographically secure randomness. It supports random character passwords (6–128 chars) and EFF-wordlist passphrases (3–10 words). No passwords are stored or transmitted.

How does Secure Paste work without a server?

Secure Paste encodes the paste content directly into the URL fragment (after the # symbol). Optionally, content is encrypted with AES-256-GCM before encoding. The URL IS the paste — no server or database is involved.

How random is the output?

It comes from crypto.getRandomValues(), the same browser primitive used by WebCrypto for key generation. Cryptographically secure, suitable for password use.

How long should my password be?

For random characters: at least 14, 20+ for high-value accounts. For passphrases: 5+ words minimum, 6 words for high-value. The strength tester shows entropy in bits — aim for 80+.

Why exclude ambiguous characters?

When a password has to be typed by humans (router setup, phone OTP, written down), ambiguous pairs (l/1, O/0, I/i) cause errors. Excluding them costs a tiny bit of entropy but cuts typing-mistake rate dramatically.

Are generated passwords stored?

No. They live in the page until you close the tab or click reset. There is no history, no log, no analytics on what was generated.

Why use passphrases instead of random characters?

Equal-strength passphrases are dramatically easier to remember and type. A 6-word EFF passphrase ("correct-horse-battery-staple-foo-bar") has more entropy than a 12-character random password and never requires looking it up.

Generate strong passwords and passphrases

Cryptographically random passwords (6–128 chars) and EFF-wordlist passphrases (3–10 words). No data stored, no patterns leaked.

Strong passwords come from real entropy, not human imagination. The Password Generator uses crypto.getRandomValues() — the browser's CSPRNG — to produce passwords that are uniformly random across the chosen character set. Length, character classes, and exclusion of ambiguous characters (l/1, O/0) are all configurable.

Passphrase mode uses the EFF Long Wordlist: a curated 7,776-word list designed for memorable, high-entropy passphrases. Pick 3–10 words, choose a separator, optionally capitalize and add a number. A 6-word passphrase has roughly 77 bits of entropy — comparable to a 13-character random password but vastly easier to type.

Generate up to 20 candidates at once, reveal/blur to compare them, and copy individually or all at once. Nothing is stored — close the tab and the candidates are gone.

Frequently asked questions

How random is the output?: It comes from crypto.getRandomValues(), the same browser primitive used by WebCrypto for key generation. Cryptographically secure, suitable for password use.
How long should my password be?: For random characters: at least 14, 20+ for high-value accounts. For passphrases: 5+ words minimum, 6 words for high-value. The strength tester shows entropy in bits — aim for 80+.
Why exclude ambiguous characters?: When a password has to be typed by humans (router setup, phone OTP, written down), ambiguous pairs (l/1, O/0, I/i) cause errors. Excluding them costs a tiny bit of entropy but cuts typing-mistake rate dramatically.
Are generated passwords stored?: No. They live in the page until you close the tab or click reset. There is no history, no log, no analytics on what was generated.
Why use passphrases instead of random characters?: Equal-strength passphrases are dramatically easier to remember and type. A 6-word EFF passphrase ("correct-horse-battery-staple-foo-bar") has more entropy than a 12-character random password and never requires looking it up.