How We Build QuickUse Generator

Each generator implements a published standard or well-understood algorithm. We do not invent novel cryptographic schemes or undocumented heuristics. When we deviate from a strict reading of a spec (e.g. because the spec is ambiguous about an edge case), we document the deviation explicitly.

Test vectors come from the spec author (RFC examples, IETF errata, Receita Federal validation samples) when available. Unit tests in the codebase pin the byte-equal output against these reference vectors, so a future code change cannot silently break compliance.

For client-side generators (90%+ of the catalog), we use the Web Crypto API (crypto.getRandomValues, crypto.subtle) for any operation requiring cryptographic randomness or hashing. We never use Math.random() for security-sensitive output. The choice of source is documented per-generator on its page.

For data-format generators (CPF, CNPJ, fake credit card numbers, etc.) the output is always format-valid but corresponds to no real-world issuance. Test-data generators include a visible "for testing only" badge and a Terms reminder.

Generators that need unpredictable output (passwords, secrets, session tokens, random UUIDs) read from window.crypto.getRandomValues(), which the browser backs by an OS-level CSPRNG (Chrome: BoringSSL, Firefox: NSS, Safari: corecrypto). This is the same source NIST SP 800-90A recommends for general use.

For passwords specifically, we use rejection sampling against the chosen character set (no modulo bias). The configurable knobs (length, character classes, exclude-look-alikes) only affect the post-sampling filter, never the underlying source.

Passphrase generators use the EFF large wordlist (7,776 words selected for memorability) and Diceware-style indexing via cryptographically random integers. Entropy per word is log2(7776) ≈ 12.92 bits, so a 6-word passphrase is ~77.5 bits — comfortably above the NIST SP 800-63B recommendation of 80+ bits for high-value accounts.

We do not store, transmit, or log any generated value. The string you see in the textbox exists only in the JavaScript heap of your browser tab until you copy or close it.

CPF (Cadastro de Pessoas Físicas) — 11 digits with two check digits computed via modulus-11 over the first 9 digits. Algorithm published by Receita Federal in Instrução Normativa RFB 1.548/2015. Our validator implements the exact algorithm; our test-data generator produces format-valid CPFs that are not registered to any real person.

CNPJ (Cadastro Nacional da Pessoa Jurídica) — 14 digits with two check digits via a modified modulus-11 with weighted positions. Same source.

PIS/PASEP/NIT (Programa de Integração Social) — 11 digits with one check digit, modulus-11. Algorithm published by Caixa Econômica Federal.

For all three, we strip and re-add the conventional formatting (XXX.XXX.XXX-XX for CPF, XX.XXX.XXX/XXXX-XX for CNPJ, XXX.XXXXX.XX-X for PIS) so the output is copy-paste-ready into forms that expect either raw or formatted input.

UUID — RFC 4122. We generate v4 (random) by default and offer v1 (timestamp+MAC) and v7 (Unix epoch + random) as options. The MAC for v1 is randomized per generation (the spec allows this and it avoids leaking your hardware address). v7 is the modern choice for database keys because it sorts lexicographically by creation time.

QR Code — ISO/IEC 18004:2015 with Reed-Solomon error correction. We support all four error-correction levels (L, M, Q, H) and let you choose. The matrix is computed in your browser using a vendored JS implementation that we test against the official ISO sample bit patterns.

Base64 — RFC 4648. Standard and URL-safe variants. Encoding and decoding are pure functions; no padding tricks, no whitespace quirks.

Hash functions (SHA-1, SHA-256, SHA-384, SHA-512) — FIPS 180-4 via the Web Crypto API (crypto.subtle.digest). MD5 is not exposed because it is cryptographically broken; we link to the spec page explaining why.

Bugs happen. When we find one (or you report one), we patch the generator, add a test vector that catches the bug, and update the affected page with a "Last updated" date. For bugs that may have affected user-visible output (e.g. a generator that emitted an invalid CPF check digit), we add a banner at the top of the page explaining the issue and the date it was fixed.

The git history of the project is open at github.com/thiagojb1975/quickusegenerator — you can audit every change against this methodology.