Random Base91 String

Base91: a denser cousin of Base64

Base91 (often written basE91) is a binary-to-text encoding created around the year 2000 by Joachim Henke. It packs more data per output character than Base64, at the cost of using a less universal alphabet. For every 13 bytes of input it emits 16 characters of output (ratio ~1.23), versus Base64's 1.33 — an overhead of roughly 14% vs 33%. Random strings encoded in Base91 are therefore shorter than the Base64 equivalent for the same number of bits of entropy.

Alphabet and algorithm

Base91 uses 91 printable ASCII characters — essentially all of the printable range except ", ' and \\ (which would require escaping inside C/JSON string literals). The encoder buffers input bits and consumes them in 13-bit (sometimes 14-bit) units, looking each unit up in a pair of tables that map to two output characters. The decoder reverses the process.

Size comparison

For 100 bytes of binary input the encoded length is roughly:

• Base64: 136 chars (RFC 4648 — universally supported).
• Base85 / Ascii85: 125 chars (used by Adobe PDF; RFC 1924 for IPv6).
• Base91: ~123 chars (Henke).
• Base122: ~113 chars (uses non-ASCII bytes — six code points are unusable).

When to use Base91 (and when not to)

Use it when you need text-only transport and that extra ~10% saving versus Base64 matters: dense data URIs, log files, embedded telemetry. Avoid it for HTTP APIs, URLs and email — Base64 (or Base64url) is built into every stdlib and most languages have to import a dedicated package to handle Base91. Base91 also has no URL-safe variant out of the box, whereas Base64url is standardised in RFC 4648.

Library support

• Node.js: npm i base91.
• Python: pip install py-base91.
• Rust: base91 crate.
• C: Henke's original reference, MIT-licensed.

FAQ

Is a random Base91 string good as a password or token? Yes. It is no weaker than the same number of bits of entropy in Base64 — what matters is the underlying CSPRNG, not the alphabet. Strings are simply shorter for the same security level.

What length should I generate for a 128-bit token? About 22 Base91 characters (~128 bits of entropy). For 256-bit security target around 40 characters.

Is Base91 universally supported? No. Unlike Base64, you must install a library. If interoperability with arbitrary clients matters, stick with Base64.

Can I put a Base91 string in a URL? Not directly — it contains characters that require percent-encoding (/, ?, #, etc.). After percent-encoding most of the size advantage over Base64url disappears.

Does this tool send my data to a server? No. The random string is generated in your browser via crypto.getRandomValues().