190 bitsof entropy · 62 possible characters · 32 chars long
What this tool does
Free cryptographically secure random string generator -- hex, base62, alphanumeric, PIN, and custom character sets
How this random string generator works technically, what each preset is used for, and how to choose the right settings for your use case
This free random string generator uses the browser's built-in crypto.getRandomValues() API to generate strings with genuine cryptographic randomness. Unlike Math.random(), which uses a deterministic seeded algorithm that can theoretically be predicted, crypto.getRandomValues() draws from your operating system's entropy pool -- the same randomness source used for TLS session key generation, cryptographic nonces, and UUID token generation. When you click Generate, the tool allocates a single Uint32Array of size length x count and fills it with cryptographically random bytes in one call, then maps each value through a modulo operation over your chosen character set to select each character. Every character is independently and uniformly random -- there are no correlations between characters, no seeding dependencies, and no way for an observer to predict future output from past output.
The tool offers six presets covering the most common random string use cases. The hex preset (0-9, a-f) produces 4 bits of entropy per character and is compatible with MD5 and SHA hash output formats, making it ideal for nonces, checksums, and systems expecting hexadecimal input. The base62 preset (A-Z, a-z, 0-9) produces approximately 5.95 bits per character, is completely URL-safe with no characters requiring percent-encoding, and is the standard for URL shortener IDs, API keys, and session tokens. The no-ambiguous preset removes visually confusing characters (0/O, 1/l/I) from the pool for any string that humans need to read and transcribe manually -- activation codes, licence keys, and vouchers. The PIN preset uses digits only, ideal for numeric OTP codes. The password preset uses all four character types for maximum entropy density. The custom preset gives you independent control over all four character types for any combination not covered by the presets.
The entropy display shows the expected bits of randomness in each generated string before you click Generate, calculated as length x log2(charset_size). This is the theoretical measure of how many guesses an attacker would need in a worst-case brute-force scenario: at 128 bits of entropy there are 2^128 possible strings, which exceeds the total number of atoms in the observable universe. For reference, NIST SP 800-63B recommends a minimum of 128 bits of entropy for long-lived security tokens, which corresponds to 22 base62 characters or 32 hex characters. For short-lived codes with rate-limiting (email OTP, SMS verification), 20 bits (6 digits) is sufficient when combined with a 5-minute expiry and 3-attempt limit. The bulk generation feature supports up to 100 strings per click, with Copy All exporting as newline, comma, or space-separated text -- useful for pre-generating test data, provisioning multiple API keys, or creating batch activation codes for software distribution.
Features and preset details
CSPRNG Security
Uses crypto.getRandomValues() -- the same OS entropy source as TLS key generation. Suitable for all security-sensitive applications.
Hex Preset
16-character alphabet (0-9, a-f) producing strings compatible with SHA-256, MD5, and other cryptographic hash output formats.
Base62 Preset
62-character alphabet (A-Z, a-z, 0-9) -- URL-safe, compact, and human-readable. Standard for API keys, session tokens, and URL IDs.
No-Ambiguous Preset
Removes 0/O, 1/l/I from the pool for activation codes, licence keys, and any string humans must read and transcribe manually.
PIN Preset
Digits-only output for numeric OTP codes, SMS verification pins, and numeric access codes used with rate-limited entry systems.
Password Preset
All four character types (94 possible chars) for maximum entropy density -- ideal for generating strong user passwords.
Custom Charset
Toggle uppercase, lowercase, digits, and symbols independently for any combination the six presets do not cover.
Length 1-512
Adjust output length from a single character up to 512 for any use case from short OTPs to long cryptographic keys.
Bulk up to 100
Generate up to 100 unique independently random strings per click for batch provisioning and test data generation.
Live Entropy Display
Real-time entropy estimate in bits updates as you change settings so you know your security level before generating.
Flexible Copy Export
Copy individual strings or the full batch with newline, comma, or space separator for pasting into code or config files.
100% Client-Side
No server involved -- all generation, entropy calculation, and clipboard operations run locally in your browser.
Examples
Random string generator examples -- API keys, hex tokens, activation codes, URL IDs, and PINs
Five real-world use cases with the recommended preset, length, entropy, and example output for each scenario
Excellent32-char base62 API key -- 190 bits entropy, production-ready token
Preset: Base62
Length: 32 characters
Charset: 62 (A-Z + a-z + 0-9)
Output: Rq7mN2vKp9wLsB4xGhPj3cYeZtQfAd8n
Entropy: ~190 bits
Use case: API keys, session tokens, OAuth secrets
A 32-character base62 string achieves approximately 190 bits of entropy -- well above the 128-bit minimum recommended by NIST for security tokens. It is URL-safe with no characters requiring percent-encoding, compact enough to embed in HTTP headers and query strings, and human-readable enough to display in dashboards. This is the recommended configuration for production API keys, OAuth client secrets, and long-lived session tokens.
Excellent64-char hex string -- equivalent to a SHA-256 hash, 256 bits entropy
Preset: Hex
Length: 64 characters
Charset: 16 (0-9 + a-f)
Output: a3f82c1d0e4b9765fec38291da057b4c6e2f1098d7a5b3c4e60f17289ab3cd5e
Entropy: 256 bits
Use case: SHA-256-format tokens, file checksums, nonces
A 64-character hex string has exactly 256 bits of entropy and matches the output format of SHA-256 hashes, making it usable anywhere a hex hash is expected. It is ideal for cryptographic nonces, webhook signing secrets, file integrity tokens, and any context where the consuming system expects hexadecimal input. The 16-character hex alphabet means you need twice the length of base62 to achieve the same entropy, but hex is universally compatible.
Good16-char no-ambiguous activation code -- safe to transcribe manually
Preset: No Ambiguous
Length: 16 characters
Charset: 50 (no 0/O/1/l/I)
Output: W3PmK9xRhN7qB4sG
Entropy: ~85 bits
Use case: Software licence keys, voucher codes, SMS OTPs
A 16-character no-ambiguous string achieves 85 bits of entropy while being safe to read from a screen and type by hand -- no character can be misread as another. All visually confusing characters (0/O, 1/l/I) are excluded. This is the ideal configuration for activation codes, licence keys, promotional voucher codes, and any generated string that users must transcribe manually rather than copy-paste.
Good8-char base62 short URL ID -- compact, URL-safe, 47 bits entropy
Preset: Base62
Length: 8 characters
Charset: 62 (A-Z + a-z + 0-9)
Output: Kp7mN2vR
Entropy: ~47 bits
Use case: URL shortener IDs, referral codes, share links
An 8-character base62 string provides approximately 47 bits of entropy and 218 trillion possible values -- more than sufficient for URL shortener IDs, referral codes, and public share links where collision resistance is managed by a database uniqueness constraint rather than pure entropy. Base62 produces compact, URL-safe, visually clean identifiers without any symbols that require escaping in URLs or file paths.
Good6-digit PIN -- standard numeric code for rate-limited OTP systems
Preset: PIN
Length: 6 characters
Charset: 10 (0-9 only)
Output: 847392
Entropy: ~20 bits
Use case: SMS OTP, email verification code, 2FA backup
A 6-digit PIN has approximately 20 bits of entropy and 1 million possible values. While low in absolute entropy, it is the standard format for rate-limited one-time passwords in SMS verification and email confirmation flows because the rate-limiting and expiry window (typically 5 to 10 minutes with 3-5 attempts maximum) makes brute force practically impossible. This preset is appropriate only for short-lived codes -- never for long-lived credentials.
FAQ
Frequently asked questions about random string generation, entropy, and token security
Common questions from developers about how to generate secure random strings for API keys, session tokens, activation codes, and URL IDs
Is this random string generator cryptographically secure?
Yes -- this tool uses the browser's crypto.getRandomValues() API, which is a cryptographically secure pseudorandom number generator (CSPRNG) backed by your operating system's entropy pool. This is the same randomness source used for generating TLS session keys, cryptographic nonces, and UUID tokens. Unlike JavaScript's Math.random(), which uses a deterministic algorithm that can be predicted given its internal state, crypto.getRandomValues() produces true cryptographic randomness. Every character in every generated string is selected with equal probability using this secure source. Nothing is transmitted to any server -- all generation runs entirely in your browser.
What is the no-ambiguous character set and when should I use it?
The no-ambiguous preset removes characters that look visually identical or nearly identical in most fonts: the digit 0 (zero) and the letter O, the digit 1 (one), the lowercase letter l, and the uppercase letter I. These characters cause transcription errors when a person reads a code on one device and types it into another. Use the no-ambiguous preset whenever humans need to read and manually type the generated string -- activation codes, software licence keys, promotional vouchers, Wi-Fi passphrases displayed on screens, and any short-lived verification codes sent by SMS or printed on paper.
What is base62 encoding and what is it used for?
Base62 uses 62 characters: the 26 uppercase letters A-Z, the 26 lowercase letters a-z, and the 10 digits 0-9. It excludes all symbols and punctuation, making it completely URL-safe without any percent-encoding required. Base62 is the most widely used encoding for URL shortener IDs (converting long numeric IDs to short codes like bit.ly/abc123), session tokens in web applications, referral and invite codes, API keys that need to be embedded in URLs, and database primary keys that need to be compact and human-readable. A 22-character base62 string provides approximately 131 bits of entropy, equivalent to a standard 128-bit UUID.
How long should a random string be for use as an API key or session token?
For security tokens used in web applications, the NIST guidelines (SP 800-107 and SP 800-63B) recommend a minimum of 128 bits of entropy. Using base62, this requires 22 characters; using hex, this requires 32 characters. For most practical applications, 32 characters of base62 (approximately 190 bits of entropy) is the recommended standard -- it provides a comfortable security margin above the 128-bit minimum and is a manageable length to store, display, and transmit. For short-lived one-time codes (email verification, password reset), 16-24 characters of base62 is typically sufficient when combined with a short expiry window and rate limiting.
What is entropy in a random string and how is it calculated?
Entropy measures how unpredictable a string is, expressed in bits. The formula is: entropy bits = length x log2(charset_size). Each additional bit of entropy doubles the number of possible strings an attacker must try to guess yours by brute force. A 32-character hex string (16 possible chars) has 32 x 4 = 128 bits of entropy. A 32-character base62 string (62 possible chars) has 32 x 5.95 = ~190 bits. A 32-character password string (94 possible chars) has 32 x 6.55 = ~210 bits. The entropy display in this tool updates live as you change settings, so you can see exactly how your configuration translates to security level before generating.
What is the difference between a random string generator and a UUID generator?
A UUID (Universally Unique Identifier) is a standardised 128-bit identifier with a fixed format: 8-4-4-4-12 hexadecimal characters separated by hyphens, for example 550e8400-e29b-41d4-a716-446655440000. UUID version 4 is randomly generated and provides 122 bits of entropy (6 bits are fixed format bits). A random string generator is more flexible -- you can choose any character set, any length, and any count, and the output has no fixed format. Random string generators are better for API keys, session tokens, and custom IDs where you want to control length and character set. UUIDs are better when you need a standardised format compatible with databases, systems, and protocols that specifically expect UUID format.
Can I use this tool to generate API keys for my application?
Yes -- this tool is well-suited for generating API keys. For a production API key, use the base62 preset at 32 characters (approximately 190 bits of entropy) or the password preset at 32 characters (approximately 210 bits of entropy). API keys generated here are cryptographically random and suitable for use as long-lived access credentials. When using generated keys in production, store only the hash (SHA-256 or bcrypt) of the key in your database -- never the raw key itself -- and transmit them only over HTTPS. Consider prefixing your API keys with a service identifier (like sk_live_ or pk_test_) to make them identifiable in logs and easy to revoke by prefix.
How does bulk generation work and how many strings can I generate at once?
The Count input allows you to generate up to 100 unique random strings simultaneously in a single click. Each string in the batch is generated independently by filling a single large Uint32Array with crypto.getRandomValues() -- all strings are generated in one cryptographic call for efficiency, then split by length. Every string in the batch is equally random and statistically independent. Use the Copy All button to export the entire batch to your clipboard as a newline-separated, comma-separated, or space-separated list for pasting into code, configuration files, spreadsheets, or password manager import templates. Bulk generation is useful for pre-generating session tokens, generating test data, or provisioning multiple API keys simultaneously.
What is the hex preset good for and why would I use it over base62?
The hex preset generates strings using only the 16 hexadecimal characters 0-9 and a-f, producing strings that are compatible with common cryptographic output formats. Use hex when your generated string needs to look like or replace a hash value (MD5 produces 32 hex chars, SHA-1 produces 40, SHA-256 produces 64), when you are generating colour codes or colour palettes, when integrating with systems that specifically expect hexadecimal input, or when you need to store the value as raw bytes (two hex chars per byte). Hex is less entropy-dense than base62 (4 bits vs 5.95 bits per character), so you need a longer hex string to achieve the same security level as a shorter base62 string.
Are the generated strings stored anywhere or sent to a server?
No -- all random string generation in this tool runs entirely in your browser using the Web Crypto API. Your configuration settings, the generated strings, and any text you copy are never transmitted to any server, never logged, never stored in any database, and never used for any analytics or tracking purpose. The tool has no server-side component whatsoever -- it is a fully static client-side application. You can verify this by opening your browser's network inspector (F12 -> Network tab) while generating strings -- you will see zero outgoing API requests. This makes the tool completely safe to use for generating production credentials, API keys, and security tokens.
Related Developer Tools
Need a disposable email address?Stop exposing your real address to sites you don't trust -- get a free instant throwaway with no signup and no trace.
Get Free Temp Mail ->