Random String Generator

When you want a random string and nothing else

A random string is the catch-all primitive that sits below more structured identifiers like UUIDs, ULIDs and nanoids. Those have a fixed shape, a defined alphabet and a specification you can validate against. A plain random string is just N characters drawn from a charset of your choice, with no schema and no opinion about how it is encoded. That makes it the right tool when the structure is irrelevant or when an existing system already specifies the format.

Typical use cases include one-off API keys generated by hand, temporary session identifiers, randomized slugs for unguessable URLs, simple password generation when complexity rules are not enforced, cryptographic salts for hashing, anonymous user IDs, invitation codes, and seed values for test fixtures. The right alphabet and the right length depend on the use case, not on a fixed convention.

Length and entropy

The strength of a random string is measured in bits of entropy, given by the formula log2(charset_size) × length. A few reference points:

• 10 alphanumeric chars (62 symbols) — about 59.5 bits
• 16 alphanumeric chars — about 95.3 bits
• 16 hex chars (16 symbols) — exactly 64 bits
• 22 base64url chars — about 132 bits, which is what a UUID encoded as base64 looks like
• 32 hex chars — 128 bits, the strength of an MD5 hash output

NIST SP 800-63B recommends at least 64 bits for low-sensitivity session tokens and 128 bits or more for high-value tokens like password reset links, API keys with administrative scope or single-use signing nonces. Below 64 bits, brute force becomes feasible for a motivated attacker.

Math.random is not random enough

Never use Math.random() or its equivalents in other languages for tokens that protect anything. The default PRNG of most language runtimes is fast but predictable: given enough output samples, an attacker can recover the internal state and forecast every future value. The correct primitive is a cryptographically secure pseudo-random number generator (CSPRNG), exposed in every modern platform:

// Browser
const bytes = new Uint8Array(16);
crypto.getRandomValues(bytes);

// Node.js
const { randomBytes } = require('crypto');
randomBytes(16);

// Python
import secrets
secrets.token_urlsafe(16)

All three pull from the operating system entropy pool (/dev/urandom on Linux/macOS, BCryptGenRandom on Windows). This tool uses crypto.getRandomValues under the hood, so the output is safe for security-sensitive purposes.

Picking the right alphabet

The charset is more than a cosmetic choice. Each alphabet has trade-offs:

• Alphanumeric (62) — densest URL-safe output without symbols. The default for most needs.
• Hex (16) — case-insensitive and trivially URL-safe; output is twice as long for the same entropy.
• Base64 — 64 symbols including +, / and = padding. Compact but breaks inside URLs without encoding. Prefer base64url (- and _ instead).
• Base32 (RFC 4648) — 32 unambiguous letters and digits, case-insensitive, designed for human transcription.
• Base58 (Bitcoin) — drops the visually ambiguous 0, O, l, I for codes a user may read aloud.
• Alphanumeric + symbols — strongest for password generation, may need quoting in URLs and shells.

If a code will ever be typed by a human, exclude ambiguous characters (0/O, 1/l/I) and add length to make up the lost entropy.

FAQ

What length should I pick?

For security tokens, aim for at least 16 alphanumeric characters (~95 bits) or 22 base64url characters (~132 bits). For non-sensitive identifiers, 8–12 is usually enough.

Can I use it as a password?

Yes — provided it is generated by a CSPRNG (this tool does) and has enough length. 16+ alphanumeric characters is a strong machine-generated password; for human-typed accounts, prefer a passphrase that is easier to remember.

Will symbols break my URL?

Some do. Standard base64 (+, /, =) needs URL-encoding; the alphanumeric and hex alphabets are always URL-safe. If the string will travel inside a URL, pick those or use base64url.