Skip to main content
Utilavo

Random String Generator

Generate secure random passwords, API keys, and tokens with cryptographic randomness

How to use Random String Generator

  1. Set the string length

    Use the slider or type a number between 1 and 256. Longer strings provide more entropy and stronger security. 32 characters is a good default for most use cases.

  2. Choose character sets

    Toggle the character sets you need: uppercase letters (A-Z), lowercase letters (a-z), digits (0-9), and symbols. You can also add custom characters. Use a preset like Alphanumeric, Password, or Hex for quick configuration.

  3. Generate your strings

    Strings are generated automatically when you change any setting. Click Regenerate to create new strings with the same configuration. Set the count to generate up to 100 strings at once.

  4. Copy and use

    Click the copy icon next to any string to copy it to your clipboard. When generating multiple strings, use the copy-all button to copy all strings separated by newlines.

Character sets
Charset: 62 unique charactersEntropy: 95 bitsStrong

What is a random string generator?

A random string generator creates unpredictable sequences of characters suitable for passwords, API keys, session tokens, nonces, and unique identifiers. This tool uses the Web Crypto API (crypto.getRandomValues) to draw entropy from your operating system's cryptographically secure random number generator, producing output that is computationally infeasible to predict.

Generation runs client-side using crypto.getRandomValues; no generation history is stored (see our processing model for details). You can configure the length, choose from predefined character sets (uppercase, lowercase, digits, symbols), add custom characters, and generate multiple strings at once. An entropy indicator shows the strength of each generated string in bits.

Random string generation is a foundational security operation. Every web application needs session IDs that cannot be guessed, CSRF tokens that prevent cross-site attacks, password reset tokens that expire safely, and API keys that authenticate programmatic access. Database systems need unique identifiers for records. Deployment pipelines need random secrets for environment variables. Cryptographic protocols need nonces (numbers used once) to prevent replay attacks. Using a cryptographically secure generator ensures that attackers cannot predict future outputs even if they observe previous ones — a critical property that Math.random() and similar non-cryptographic generators do not provide.

The character set and length together determine the entropy (unpredictability) of the generated string. A 16-character alphanumeric string (62 possible characters per position) provides approximately 95 bits of entropy — strong enough for most passwords. A 32-character hex string (16 possible characters per position) provides 128 bits of entropy — the standard minimum for cryptographic keys and session tokens. A 64-character alphanumeric string provides approximately 381 bits — well beyond any foreseeable brute-force capability. Including symbols in the character set increases entropy per character (from ~5.95 bits/char for alphanumeric to ~6.5 bits/char with common symbols), allowing shorter strings to achieve the same strength. The tool's entropy indicator calculates and displays the exact bits of entropy for your current configuration.

Frequently asked questions

Is this generator truly random?

Yes. It uses crypto.getRandomValues, which draws from your operating system's cryptographically secure pseudorandom number generator (CSPRNG). This is the same entropy source used by TLS, SSH, and other security protocols. Unlike Math.random(), the output cannot be predicted even if an attacker knows previous values.

What string length should I use?

For passwords, 16-20 characters with mixed character sets provides excellent security. For API keys and tokens, 32-64 characters is standard. For cryptographic nonces or session IDs, 32 characters of hex (128 bits of entropy) or longer is recommended. The entropy indicator below the results shows the strength of your configuration.

Is it safe to generate secrets in the browser?

Yes. Generation happens locally using your browser's built-in crypto API, which is safer than server-side generators where secrets traverse the network. See our processing model for the full handling description. For additional security, consider using the Hash Generator to derive fixed-length hashes from generated strings.

What is entropy and how many bits do I need?

Entropy measures unpredictability in bits. It is calculated as length times log2(charset size). For example, a 32-character alphanumeric string (62 possible characters) provides about 190 bits of entropy. 128 bits is considered very strong for most applications. The tool displays the entropy and a strength rating (Weak, Moderate, Strong, Very Strong) for your current configuration.

How do I generate a secure API key?

Set the length to 32-64 characters, enable alphanumeric characters (uppercase, lowercase, digits), and click Generate. A 32-character alphanumeric string provides approximately 190 bits of entropy, which is more than sufficient for API key security. Avoid including symbols in API keys as they can cause issues in HTTP headers, environment variables, and configuration files. Copy the generated key and store it securely — in an environment variable, a secrets manager (like AWS Secrets Manager or HashiCorp Vault), or a .env file that is never committed to version control.

What is the difference between a password and a cryptographic key?

A password is a human-memorable string typically 12-20 characters long, often including mixed character types for complexity. A cryptographic key is a purely random binary value (128, 256, or 512 bits) that is never meant to be memorized — it is stored by software. This tool can generate both: use the Password preset for human-friendly passwords, or the Hex preset at 32-64 characters for cryptographic keys. For deriving encryption keys from passwords, use PBKDF2 or Argon2 — never use a password directly as an encryption key.

Related tools

Hash Generator

Generate MD5, SHA-256, SHA-512, BLAKE3, and 25+ cryptographic hashes to verify file integrity

HMAC Generator

Generate HMAC-SHA256 and HMAC-SHA512 authentication codes to sign API requests and verify webhooks

Ab64

Base64 Encoder

Encode and decode Base64 strings and files for APIs, emails, and data URIs

Encrypt / Decrypt

Encrypt and decrypt data with AES, DES, Triple DES, and RC4 symmetric ciphers

Protect PDF

Password-protect and encrypt a PDF document