Salt & IV Generator

Generate cryptographically secure random bytes for salts, initialization vectors (IVs), nonces, and keys. All values are generated locally in your browser.

Quick-Use Presets:

Output:

Click Generate to create random bytes...

Cryptographic Randomness

This tool uses crypto.getRandomValues(), which provides cryptographically strong random values backed by your operating system's entropy source. Unlike Math.random(), these values are suitable for security-sensitive operations.

Salts vs IVs vs Nonces

Salts are random data added to passwords before hashing to prevent rainbow table attacks. IVs (Initialization Vectors) ensure identical plaintext encrypts differently each time. Nonces (number used once) guarantee uniqueness in cryptographic protocols. All three must be randomly generated and never reused.

Keyboard Shortcuts:

  • Ctrl/Cmd + Enter - Generate new random values

Privacy: All random values are generated locally using the native crypto.getRandomValues() API. No data is sent to any server. Values are generated entirely in your browser.

About Salts, IVs, and Nonces

Cryptographic salts, initialization vectors (IVs), and nonces are random values used in encryption and hashing to ensure security. They prevent attackers from exploiting patterns in encrypted or hashed data, making each operation produce unique output even when the input is identical.

What Are They?

  • Salt - Random data concatenated with a password before hashing, preventing rainbow table and precomputation attacks
  • IV (Initialization Vector) - Random value used with an encryption key so identical plaintexts encrypt to different ciphertexts
  • Nonce (Number Used Once) - A unique value ensuring a cryptographic operation is never repeated with the same key
  • Key - Secret random bytes used as the encryption or HMAC key itself

Common Sizes & Use Cases:

  • 8 bytes - Minimum salt size for password hashing
  • 12 bytes - IV for AES-GCM (required size)
  • 16 bytes - IV for AES-CBC, general-purpose salts (128 bits)
  • 24 bytes - Extended nonces (e.g., XChaCha20)
  • 32 bytes - 256-bit keys, HMAC secrets, API tokens
  • 64 bytes - 512-bit values for extra security margin

Why Cryptographic Randomness Matters

Not all random number generators are suitable for security. Math.random() in JavaScript uses a pseudo-random number generator (PRNG) that is fast but predictable. An attacker who knows the internal state can predict future outputs. This tool uses crypto.getRandomValues(), which draws entropy from your operating system's cryptographically secure random number generator (CSPRNG), making the output unpredictable and suitable for security-sensitive operations.

Salt vs IV vs Nonce - Key Differences:

Salt: Used in password hashing (bcrypt, scrypt, Argon2). Must be unique per password but does not need to be secret. Stored alongside the hash for later verification.

IV: Used in block cipher modes (AES-CBC, AES-GCM). Must be unpredictable for CBC mode and unique for GCM mode. Transmitted alongside the ciphertext.

Nonce: Used in stream ciphers and authenticated encryption. Must never be reused with the same key. Can be a counter or random value depending on the algorithm.

Security Best Practices: Never reuse an IV or nonce with the same encryption key - this can completely break the security of your encryption. Always generate a fresh random value for each encryption operation. For password hashing, always use a unique salt per user. Store salts and IVs alongside the encrypted/hashed data - they do not need to be secret, only unique.