Random String Generator
Generate cryptographically secure random strings — hex, base62, alphanumeric, custom charsets
You need 20 unique API tokens, each 32 characters of hex. Or 100 alphanumeric session IDs with a sess_ prefix. Or a batch of base62 short codes for a URL shortener. Writing a generation script every time is repetitive. You need a configurable random string generator with crypto-quality randomness.
Why Cryptographic Randomness Matters for Strings
Predictable strings are a security vulnerability. If an attacker can guess your session tokens, API keys, or verification codes, they can hijack sessions, access APIs, or bypass email verification. Math.random() is a PRNG — its output can be reverse-engineered from a few observed values.
This tool uses the Web Crypto API (crypto.getRandomValues()) which provides entropy from the operating system’s secure random source. Combined with rejection sampling to eliminate modulo bias, every character in the output is uniformly distributed.
Character Set Options
| Preset | Characters | Pool Size |
|---|---|---|
| Alphanumeric | A–Z, a–z, 0–9 | 62 |
| Hex (lowercase) | 0–9, a–f | 16 |
| Hex (uppercase) | 0–9, A–F | 16 |
| Base62 | A–Z, a–z, 0–9 | 62 |
| Base64 URL-safe | A–Z, a–z, 0–9, -, _ | 64 |
| ASCII printable | All printable ASCII (32–126) | 95 |
| Custom | Any characters you specify | Variable |
Entropy Calculation
The entropy of a random string depends on its length and the character pool size:
Entropy (bits) = length × log₂(pool size)
For example, a 32-character hex string: 32 × 4 = 128 bits of entropy. A 22-character base62 string: 22 × 5.95 ≈ 131 bits. Both are strong enough for most security applications.
The tool displays the entropy of your configuration so you can verify it meets your security requirements.
Common Use Cases
API tokens and secrets. 32–64 character hex or base62 strings with 128–256 bits of entropy. Add a prefix like sk_live_ to make tokens self-documenting.
Session identifiers. 22+ character base62 strings are compact yet have sufficient entropy to prevent brute-force guessing even at billions of attempts per second.
URL shortener codes. 6–8 character base62 codes give 36–48 bits of entropy — enough for millions of unique URLs while staying short enough for humans to share.
Verification codes. 6-digit numeric codes for email or SMS verification. Short-lived, so lower entropy is acceptable.
Test data. Generate random filenames, user IDs, or placeholder text for unit tests and staging environments.
Privacy
All string generation runs entirely in your browser. No strings, settings, or metadata are transmitted to any server. You can verify this by monitoring the network tab — zero outbound requests during generation.
Frequently Asked Questions
What is the maximum string length? The tool supports strings up to 10,000 characters. For most applications (tokens, keys, IDs), 32–128 characters is more than sufficient.
Can I add a prefix or suffix to generated strings?
Yes. Set a prefix like sk_ or token_ and it will be prepended to every generated string. The random portion maintains its full entropy.
How many strings can I generate at once? Bulk mode supports up to 1,000 strings per generation. Results can be copied as a newline-separated list.
Is this safe for generating database primary keys? Random strings work as primary keys but consider the trade-offs: they prevent enumeration attacks but cause index fragmentation in B-tree databases. UUID v7 or ULID may be better choices for sortable, random primary keys.
What is rejection sampling? Rejection sampling discards random values that would cause some characters to appear more frequently than others (modulo bias). It ensures every character in the pool has exactly equal probability of being selected.