About

Hexadecimal strings underpin nearly every layer of modern computing. Memory addresses, color definitions in CSS (#RRGGBB), cryptographic hashes, MAC addresses, and UUID fragments all rely on base-16 notation. A malformed hex value in a configuration file or API payload will silently corrupt data or trigger hard-to-trace parsing failures. This tool generates cryptographically secure hex values using crypto.getRandomValues rather than the predictable Math.random PRNG. You control length (up to 128 characters), character case, prefix, and batch quantity. The color mode validates output as a proper 3, 6, or 8-digit CSS hex color and renders a live swatch with computed WCAG contrast ratio.

Limitation: generated values are pseudorandom from the browser's CSPRNG. They are suitable for tokens, test data, and identifiers. They are not a replacement for a hardware entropy source in high-security key generation. The color contrast calculation assumes sRGB gamut and the standard L = 0.2126R + 0.7152G + 0.0722B relative luminance model per WCAG 2.0.

Formulas

Each hexadecimal character encodes exactly 4 bits of information. The total entropy of a hex string is:

H = n × 4 bits

where n = number of hex characters. The total number of possible unique values is:

N = 16ⁿ

For color mode, relative luminance L is computed per WCAG 2.0 to determine contrast against white and black text:

L = 0.2126 ⋅ R_lin + 0.7152 ⋅ G_lin + 0.0722 ⋅ B_lin

where each linearized channel C_lin is derived from the sRGB value:

C_lin =

{

C_sRGB12.92 if C_sRGB ≤ 0.04045(C_sRGB + 0.0551.055)^2.4 otherwise

The WCAG contrast ratio between two luminances L₁ and L₂ (where L₁ ≥ L₂) is:

CR = L₁ + 0.05L₂ + 0.05

The random byte generation uses the Web Crypto API call crypto.getRandomValues(Uint8Array), which draws from the operating system's CSPRNG. Each byte is converted to a 2-character hex string via toString(16) with zero-padding.

Reference Data

Hex Length	Bits of Entropy	Possible Values	Common Use Case
1	4	16	Single nibble, flags
2	8	256	Byte value, ASCII code
3	12	4,096	CSS shorthand color (#RGB)
4	16	65,536	Unicode code point (BMP)
6	24	16,777,216	CSS full color (#RRGGBB)
8	32	4,294,967,296	CSS color + alpha (#RRGGBBAA), IPv4
12	48	2.81 × 10¹⁴	MAC address
16	64	1.84 × 10¹⁹	64-bit identifier, API token segment
32	128	3.40 × 10³⁸	MD5 hash, UUID (128-bit)
40	160	1.46 × 10⁴⁸	SHA-1 hash, Git commit ID
64	256	1.16 × 10⁷⁷	SHA-256 hash
128	512	1.34 × 10¹⁵⁴	SHA-512 hash
Common Hex Color Codes
#FFFFFF	White - RGB(255, 255, 255)
#000000	Black - RGB(0, 0, 0)
#FF5733	Red-Orange - RGB(255, 87, 51)
#3498DB	Steel Blue - RGB(52, 152, 219)
#2ECC71	Emerald - RGB(46, 204, 113)
#F39C12	Sunflower - RGB(243, 156, 18)
#9B59B6	Amethyst - RGB(155, 89, 182)
#1ABC9C	Turquoise - RGB(26, 188, 156)

Frequently Asked Questions

Math.random() uses a deterministic PRNG (typically xorshift128+ in V8) seeded from a limited entropy source. Its output is predictable given the internal state and unsuitable for security tokens. This tool uses crypto.getRandomValues(), which draws from the OS-level CSPRNG (/dev/urandom on Linux, BCryptGenRandom on Windows). The output passes NIST SP 800-22 randomness tests and is suitable for session tokens, nonces, and non-critical key material.

Per CSS Color Module Level 3 specification, a 3-digit hex color #RGB is expanded by duplicating each digit: R becomes RR, G becomes GG, B becomes BB. So #F0A becomes #FF00AA. This is a shorthand notation, not a truncation. The generator's color mode produces values that follow this expansion rule, so the swatch always shows the correctly interpreted color.

For a batch of k values from a space of N = 16ⁿ possibilities, the birthday problem gives collision probability approximately P ≈ 1 − e^{−k(k−1)/(2N)}. For 100 values of length 8 (N = 4.29 × 10⁹), P ≈ 1.16 × 10⁻⁶. For length 16 (N = 1.84 × 10¹⁹), it is effectively zero. The generator enforces uniqueness within each batch via Set deduplication regardless.

8-digit hex colors with alpha channel are supported in all modern browsers since Chrome 62, Firefox 49, Safari 10, and Edge 79. Internet Explorer does not support them. If you need IE compatibility, use the rgba() functional notation instead. The generator displays the equivalent rgba() value alongside the hex code in color mode for convenience.

A fixed prefix reduces effective entropy. If you lock a 2-character prefix on a length-8 string, only 6 characters are random, yielding 16⁶ = 16,777,216 possible values instead of 16⁸ = 4,294,967,296. The generator adjusts the displayed entropy calculation to reflect only the random portion. Prefixes are useful for namespacing (e.g., 0x for C-style, FF for broadcast addresses) but should not be counted toward randomness budgets.

The randomness source (crypto.getRandomValues) is cryptographically suitable, but browser-generated keys have operational risks: they exist in JavaScript heap memory (not protected memory), are vulnerable to XSS exfiltration, and cannot be securely erased. For production cryptographic keys, use the Web Crypto API's generateKey() method with extractable:false, or generate keys server-side in a trusted environment.