Create random strings instantly in your browser and download the result as a RANDOMSTRING file for easy reuse.
0, O, I, l, and 1 — recommended any time a human will read, transcribe, or dictate the string. This is the same idea behind Crockford Base32 and Base58.window.crypto.getRandomValues() — no network round-trip, no server-side log of what was generated. Copy individual strings or export the full batch as text or CSV.A "random string" is any sequence of characters that an attacker cannot predict cheaper than brute-forcing the keyspace. The harder it is to guess, the more uses it has — from one-off shareable links to long-lived production secrets. The right format and length depend on three things: who reads the string (a human or a machine), where it travels (URL, header, QR code, printed paper), and how long it lives (one minute or one year).
Authorization header without wrapping.id columns expose growth rate to scrapers. A 12–16 char random string per row keeps URLs unguessable without revealing how many records exist./uploads/IMG_0001.jpg is scrapeable; /uploads/k7Q2vR9LpNxFm3bY.jpg is not).Working with related identifiers? See the Password Generator for human-typeable passwords, the UUID Generator for RFC 4122 v4 IDs, or the Base64 Encoder if you have raw bytes you want to render as a string.
Entropy (in bits) per character equals log₂(alphabet size). A longer alphabet gets you more bits per character, so the string can be shorter for the same security margin — at the cost of harder transcription.
| Character Set | Alphabet Size | Bits per Char | Chars for 128 bits | Best For |
|---|---|---|---|---|
| Hex (0–9, a–f) | 16 | 4.00 | 32 | Session IDs, hashes, traditional API keys |
| Base32 (RFC 4648) | 32 | 5.00 | 26 | TOTP secrets, case-insensitive identifiers |
| Crockford Base32 | 32 | 5.00 | 26 | Human-typed coupon codes (excludes I, L, O, U) |
| Alphanumeric (mixed-case + digits) | 62 | 5.95 | 22 | General-purpose tokens, slugs |
| Base58 (Bitcoin) | 58 | 5.86 | 22 | Wallet addresses, IDs read aloud (no 0/O/I/l) |
| Base64 / Base64-URL | 64 | 6.00 | 22 | API keys, bearer tokens, JWT payloads |
| Full ASCII printable (~94) | 94 | 6.55 | 20 | Maximum-density secrets stored in machines only |
A 16-char alphanumeric string carries ~95 bits of entropy — comfortable for short-lived session cookies but under the 128-bit OWASP floor for long-lived tokens. Bump to 22 chars for 128 bits, or 32 chars for the 192-bit margin most production API gateways use.
| Use Case | Length | Character Set | Approx. Entropy | Notes |
|---|---|---|---|---|
| OAuth bearer token / API key | 32 | Base64-url | ~192 bits | Standard for Stripe, GitHub, AWS-style keys |
| Session ID (cookie) | 32 hex / 22 base64-url | Hex or Base64 | 128 bits | OWASP-recommended for custom session IDs |
| CSRF token (per-request) | 24 | Base64-url | ~144 bits | Short-lived, rotated each session |
| Password reset link token | 32 | Base64-url | ~192 bits | Single-use, 15–60 min expiry |
| Coupon / promo code | 8–10 | Crockford Base32 | 40–50 bits | Look-alikes excluded; checksum char optional |
| Invite code (private beta) | 12 | Crockford Base32 | ~60 bits | Easy to share verbally; brute-force not the threat |
| Two-factor TOTP shared secret | 16 (80 bits) or 32 (160 bits) | Base32 | 80 or 160 bits | Per RFC 6238; 160-bit recommended |
| Random filename / object key | 16 | Base64-url | ~96 bits | Defeats enumeration on /uploads/ paths |
| Database surrogate key (public) | 12 | Base58 | ~70 bits | Like YouTube video IDs |
| Human-readable password | 16+ | Alphanumeric + symbols | ~104 bits | See the Password Generator for pronounceable variants |
Yes, when generated in a modern browser. The tool calls window.crypto.getRandomValues(), which the MDN spec describes as suitable for cryptographic purposes — backed by the OS entropy source (/dev/urandom on Linux/macOS, BCryptGenRandom on Windows). It is not Math.random(), which is a predictable PRNG explicitly flagged as unsuitable for security. The browser caps each getRandomValues call at 65,536 bytes, which the generator handles transparently for very long or bulk requests.
Entropy in bits = length × log₂(alphabet size). Examples: 16 hex chars = 16 × 4 = 64 bits; 22 base64 chars = 22 × 6 = 132 bits; 12 Crockford Base32 chars = 12 × 5 = 60 bits. The rule of thumb most security guides cite is 128 bits for anything long-lived (session IDs, API keys) and 80+ bits for human-typeable codes where rate-limiting also protects you.
Standard Base64 (RFC 4648 §4) uses A–Z a–z 0–9 + / with = padding, which breaks URLs and filenames. Base64-URL (§5) substitutes - for +, _ for /, and typically drops the = padding. If your string will appear in a URL, query parameter, JWT segment, or filename, always pick the URL-safe variant — otherwise you'll need to manually escape +/= on every transit.
Anywhere a human reads, dictates, or types the string, look-alikes cause real support load. Douglas Crockford's Base32 drops I, L, O (confuse with 1, 1, 0) and U (to avoid accidental obscenity); Base58 drops 0, O, I, l. Coupon codes, recovery codes, wallet addresses, and license keys all benefit. For machine-only strings (API headers, cookies), the exclusion gains you nothing and costs ~0.07 bits per char.
UUIDv4 is a fine random identifier — it carries 122 bits of randomness in 16 bytes. The downsides for string-style use: it's 36 characters with four hyphens (e.g., f47ac10b-58cc-4372-a567-0e02b2c3d479), uses only hex (4 bits per char), and the version/variant bits are not random, so it's not the most entropy-dense format on the wire. For a URL token, 22 chars of base64-url carries the same ~128 bits in 39% less space. Use UUIDs when you need RFC 4122 conformance or compatibility with uuid columns in Postgres / SQL Server; use a plain random string when you just need entropy.
For a string that resists offline brute force against modern GPUs, target 80 bits of entropy for medium-risk accounts and 128+ bits for high-value or long-lived credentials. With the full alphanumeric + symbols set (94 chars, 6.55 bits/char), 12 chars ≈ 79 bits and 16 chars ≈ 105 bits. NIST SP 800-63B no longer mandates symbol classes for user passwords, but the entropy math is the same: longer beats fancier every time.
Not from this tool — that's the point. CSPRNG output is unrecoverable by design; even the same browser tab will produce a different string on the next click. If you need a deterministic but unpredictable string (e.g., derive a token from a user ID + secret), use HMAC instead — see the Hash Generator for SHA-256 / HMAC-SHA256.
No. Generation runs entirely in your browser via crypto.getRandomValues(); the strings never touch any server. Closing the tab discards them. For sensitive secrets, paste them straight into your password manager or .env file and avoid sending them through chat or email.
The browser's crypto.getRandomValues() rejects requests above 65,536 bytes per call with a QuotaExceededError. The generator chunks larger requests automatically — for bulk runs (say, 100,000 coupon codes), it loops in batches and concatenates, so the entropy guarantee still holds per character.