Random String Generator
Generate random strings with custom length, character sets (letters, digits, symbols, hex). For passwords, tokens, IDs.
What is a Random String Generator?
A Random String Generator produces cryptographically secure random sequences of characters with customizable length, character sets, and exclusions. Uses the browser's crypto.getRandomValues() API — the same secure random source used by SSL/TLS, password managers, and security-critical applications. Essential for: generating strong passwords, API tokens, session identifiers, database primary keys (alternatives to incremental IDs that leak data), salt values for password hashing, JWT secret keys, OAuth client secrets, test fixtures, invite codes. Six character set options (lowercase, uppercase, numbers, symbols, hex only, exclude ambiguous) cover every use case from simple human-readable codes to maximum-entropy security keys.
How to use this tool
- Set length — 16-32 chars typical for passwords; 32+ for security keys/tokens.
- Set count — 1 for single string; 5-50 for batch generation.
- Choose character sets — Lowercase, uppercase, numbers, symbols — check what you need.
- Optional: hex only or exclude ambiguous — Hex for binary tokens; exclude 0/O 1/l for printed/spoken passwords.
- Click Generate — Random strings appear — copy single or all.
Character sets and entropy
Entropy per character (bits):
- Lowercase only (26): 4.7 bits/char
- Lowercase + uppercase (52): 5.7 bits/char
- Lowercase + uppercase + numbers (62): 6.0 bits/char
- All sets including symbols (94): 6.6 bits/char
- Hex (16): 4.0 bits/char
Recommended lengths:
- Personal password: 16+ chars all sets = 105+ bits entropy
- API token: 32+ alphanumeric chars = 192+ bits entropy
- Session token: 64 random bits minimum (16 hex chars)
- JWT secret key: 256 bits (32 bytes random)
Why crypto.getRandomValues()?
Math.random() is predictable (uses PRNG with known state). crypto.getRandomValues() taps OS entropy sources (mouse movements, network jitter, hardware random) — cryptographically secure. Required for security-sensitive use.
Examples
- Strong password: 16 chars, all sets = 'Kj9!@mN4&pQv7#Z2'
- API key: 32 chars alphanumeric = 'j9k2P4mQ8rT5vW7xY3zA6bC1dE0fG4h2'
- Hex secret: 64 hex chars = 256 bits of entropy
- Database UUID alternative: 22 chars alphanumeric = unique enough for trillions of records
- Invite code: 8 chars uppercase only (exclude 0/O) = friendly to type
- Salt for password hashing: 16 random bytes (32 hex chars)
Tips & best practices
- For passwords: 16+ chars, all sets enabled, store in password manager
- For API tokens: 32+ chars alphanumeric — long, copy-pasteable, no symbols that need escaping
- Enable 'Exclude ambiguous' when password will be spoken/printed (avoids 0/O, 1/l confusion)
- For hex tokens: each char = 4 bits, so 32 hex chars = 128 bits
- Save generated strings IMMEDIATELY — can't recover them later
- Use different secrets for different services — don't reuse
- Verify your storage encrypts secrets at rest (don't store in plain text files)
Limitations & notes
Generated strings are random — if you lose them, you can't reproduce them. Tool doesn't store anything (privacy & security feature). For deterministic random (same seed = same output), need different tool. crypto.getRandomValues() in some older browsers may have entropy issues — modern browsers (Chrome, Firefox, Safari, Edge) are reliable.
Frequently Asked Questions
Is this random truly random?
Yes — uses crypto.getRandomValues() which taps OS entropy sources. Cryptographically secure. Same standard used by SSL/TLS, secure password managers.
How long should my password be?
16+ characters with mixed character sets. Each additional character roughly doubles security against brute force. For high-value accounts (banking, email), use 20-24 characters.
Why exclude ambiguous characters?
0/O (zero/oh) and 1/l/I look similar in many fonts. Confusing when typing or reading printed passwords. For digital-only passwords, no need to exclude — you copy-paste.
Is hex enough for security?
Hex limits to 16 chars (0-9, a-f) = 4 bits per char. 32 hex chars = 128 bits. 64 hex chars = 256 bits. For modern cryptographic use, 256 bits (64 hex chars) is standard.
Does the tool store my generated strings?
No — all generation happens in your browser. Nothing sent to our servers. Privacy AND security guaranteed.
Can I generate the same string twice?
Effectively impossible — even 16 alphanumeric chars have 62^16 = ~5 × 10^28 possibilities. Generating the same string twice by chance has probability roughly zero.
What if I need predictable random for testing?
This tool uses true random — not seeded. For deterministic tests, use a seedable PRNG library (seedrandom.js) with fixed seed. But that's NOT cryptographically secure — only for testing.