Skip to content
Security · Randomization

Random String Generator

Cryptographically secure random strings generated entirely in your browser using the Web Crypto API. No data is ever transmitted or stored.

In-browser only Web Crypto API

Quick Presets

Characters
Overrides the character toggles above when non-empty
Output format
191 bits

How to Generate Secure Random Strings

How to Generate Secure Random Strings

  1. 1
    Choose a preset or configure manually

    Select a preset (API Key, Token, Hex Token, Password, PIN) for instant configuration, or adjust length, character sets, and output format manually.

  2. 2
    Set your character requirements

    Toggle uppercase, lowercase, digits, and special characters on or off. Enable "Exclude ambiguous" to remove look-alike characters (0, O, 1, l). Enter a custom character set to override the toggles entirely.

  3. 3
    Pick an output format

    Choose Raw for general-purpose strings, Hex for hex-encoded secrets, Base64 for HTTP headers, or Base64-URL for URL-safe tokens and JWTs.

  4. 4
    Generate and copy

    Click Generate (or press Ctrl/Cmd+Enter) to produce a batch. Copy individual strings with the row copy button, copy all at once, or download as a .txt file.

Output format comparison

Output format comparison

Format Example (32 chars) Output length Characters Use when
Raw mK7#Rq2vLp9nXe4s… = configured length From active charset General-purpose tokens, passwords
Hex a3f8c2d1b04e7f9a… 2× byte count 0–9, a–f Hex secrets, checksums
Base64 o/jC0Z5L+eRwBq1Y… ⌈4/3 × bytes⌉ A–Z, a–z, 0–9, +, /, = HTTP headers, JSON payloads
Base64-URL o_jC0Z5L-eRwBq1Y… ⌈4/3 × bytes⌉, no padding A–Z, a–z, 0–9, -, _ URL params, JWT secrets

Frequently Asked Questions

Is this random string generator cryptographically secure?
Yes. All strings are generated using crypto.getRandomValues() from the Web Crypto API with rejection sampling to eliminate modulo bias. Math.random() is never used.
What is the difference between Base64 and Base64-URL output formats?
Standard Base64 uses +, /, and = characters. Base64-URL replaces + with -, / with _, and removes padding (=), making the output safe for use in URLs, HTTP headers, and JWT tokens without percent-encoding.
What does "Exclude ambiguous characters" do?
It removes characters that look visually similar: 0 (zero), O (capital o), o (lowercase o), 1 (one), l (lowercase L), and I (capital i). This reduces transcription errors when strings need to be read and typed manually.
How does the custom character set option work?
When you enter characters in the custom character set field, those characters replace the standard character toggles entirely. Duplicate characters are removed automatically. The "Exclude ambiguous" filter still applies to custom character sets.
How is entropy calculated?
Entropy (in bits) = length × log₂(charset size). For example, a 32-character string from a 62-character charset (upper + lower + digits) has approximately 190 bits of entropy. Higher entropy means the string is harder to guess or brute-force.
Are my generated strings stored anywhere?
No. All generation happens locally in your browser using JavaScript. Nothing is uploaded, stored, or transmitted to any server. Closing the tab discards all generated strings and session history.
What is the maximum length I can generate?
You can generate strings up to 1024 characters long, in batches of up to 100 strings at a time.