Skip to content
TypeParser
All tools

Random String

Generate random strings.

beats random.org edge: Bulk generation + crypto random
options
length 16
count 10
output
Guide

About Random String

Generate cryptographically random strings — pick length, character classes (upper, lower, digit, symbol, hex), bulk count. Uses <code>crypto.getRandomValues</code> so the output is suitable for API keys, session tokens, nonces, and salts. No bias from naive modulo — we draw uniformly.

Why “random” needs a tool

Three problems naive code gets wrong:

  1. Math.random() is not secure. Browser implementations are seeded predictably enough that a determined attacker can recover state. Always use crypto.getRandomValues.
  2. Modulo bias. randomByte % 62 (alphanumeric alphabet) has bias because 256 is not divisible by 62 — the first 256 % 62 = 8 characters appear slightly more often. Tiny but measurable, and irrelevant in cryptography means measurable matters.
  3. Confused encoding. Hex output is double-length; Base64 is shorter but URL-unsafe; alphanumeric is variable. Pick by use.

This tool fixes all three: CSPRNG for entropy, rejection sampling against bias, format options for downstream encoding.

What length do I actually need?

UseBytesHex charsReason
Session ID1632128 bits, unguessable
API key3264Long enough to print, plenty of bits
CSRF token1632Per-session, refreshed often
Nonce1224Standard AES-GCM IV size
Salt1632Per-user, stored next to hash

Common workflows

Provision API keys. Generate 32-byte hex keys, paste into your secret store, distribute the keys.

Seed a JWT signing secret. 32-byte random string for HS256 — your tokens are unforgeable from there.

Bulk-create test fixtures. Need 100 random user IDs? Bulk mode → download → import.

Refresh CSRF tokens at deploy. Old token rotation as part of your release script.

Why local random

A random generator that contacts a server defeats the purpose — the server could log every value and compromise every token. The W3C-mandated browser CSPRNG is the better source: it pulls from your OS entropy, never logs, never transmits.

Frequently asked questions

How is this different from a password generator?
The Password Generator is built for human-typed credentials with passphrase support and crack-time estimates. This tool is for machine-consumed strings — API keys, tokens, nonces — where length and unpredictability matter and readability does not.
How long should a token be?
For API keys, 32 bytes (256 bits) is overkill but cheap. Hex output → 64 chars; Base64 → 43 chars. For session IDs, 16-24 bytes is plenty.
Is this safe for security purposes?
Yes — uses the W3C-mandated CSPRNG. Avoid any random tool that derives from Math.random() for security-relevant output.
How many can I generate at once?
Up to 1000 per click. Above that the clipboard becomes the bottleneck — use the download button.
Can I customize the character set?
Yes. Toggle classes, or paste a custom alphabet for special cases (e.g. omit visually similar characters O0Il1).
Why uniform distribution?
Naive x % alphabet.length biases toward the first few characters when the modulus does not divide 256 evenly. We use rejection sampling so every character has equal probability.

Related tools

Last updated: 2025-01-15