Random String Generator
Generate a random string with full control over length and character classes. Everything happens in your browser.
When do you need a cryptographically secure random string?
Random strings show up everywhere: session tokens, password reset links, CSRF tokens, file upload IDs, database primary keys, test fixtures, mock data. The trap is that the obvious choice — Math.random() — is a predictable pseudo-random number generator, seeded from the current time and easily reproducible by an attacker who knows when your server started. Anything with a security implication needs crypto.getRandomValues(), which this tool uses by default. The output is uniform across the chosen character set and indistinguishable from true randomness for any practical attacker. Generated with no server round-trip; no logging, no transmission.
Generated Password
Enable at least one character type
Strong
99.4 bits of entropy
Estimated crack time: centuries+(10 billion guesses/sec)
Bulk Generation
Count:
Options
Password Length16
4128
Character Types
Uppercase
(A-Z)
Lowercase
(a-z)
Numbers
(0-9)
Symbols
(!@#$%^&*_+-=)
Exclusions
Exclude Similar
(i,l,1,L,o,0,O)
Exclude Ambiguous
{}<>[]()/\|
Quick Presets
About random strings
A cryptographically secure random string is generated by sampling each character independently and uniformly from your chosen alphabet via the OS entropy pool.
- Web Crypto API: window.crypto.getRandomValues(new Uint32Array(N))
- Each char from a 94-char alphabet: ~6.55 bits of entropy
- Each char from a 62-char alphabet (alphanumeric): ~5.95 bits
- Each char from a 16-char alphabet (hex): 4 bits
- 16 chars alphanumeric ≈ UUIDv4 (~122 bits) territory