User Rating 0.0 ★★★★★

Total Usage 0 times

Category Text Generators

Character Sets

Lowercase (a–z) Uppercase (A–Z) Digits (0–9) Symbols (!@#$...) Hex (0–9, A–F) Binary (0, 1)

Exclude Ambiguous (0, O, 1, l, I, 5, S)

Pattern Template A = uppercase letter, a = lowercase letter, 9 = digit, X = hex, * = alphanumeric. Other chars are literal.

Custom Character Pool Enter every character you want in the pool. Duplicates are removed automatically.

String Length

Quantity

Prefix

Suffix

Separator between strings

Case Transform

Unique strings only

Presets:

Entropy: —

Pool: — Count: — Length: —

Is this tool helpful?

Your feedback helps us improve.

★ ★ ★ ★ ★

About

Generating random strings without cryptographic guarantees produces predictable output vulnerable to brute-force attacks. This tool uses the browser's native crypto.getRandomValues API - a cryptographically secure pseudorandom number generator (CSPRNG) - to produce strings with verifiable entropy. Entropy per string is calculated as H = L × log₂(N), where L is the output length and N is the character pool size. A pool of 62 alphanumeric characters at length 16 yields approximately 95.3 bits of entropy - sufficient for session tokens but insufficient for master encryption keys. This tool approximates uniform distribution by rejection sampling when the pool size does not evenly divide 256.

Pattern mode lets you define structural templates (e.g., AAA-9999) for serial numbers, coupon codes, or license keys. Note: uniqueness is enforced via deduplication, but generating more strings than the combinatorial space allows will halt with an error rather than producing duplicates. Pro tip: for API tokens, use at least 128 bits of entropy - that means 22 characters from a 62-character alphanumeric pool.

Formulas

The information entropy of a randomly generated string quantifies its resistance to brute-force enumeration. Given a character pool of size N and a string length L, the entropy in bits is:

H = L × log₂(N)

Where H = entropy in bits, L = number of characters in the generated string, N = total unique characters in the pool. The total combinatorial search space is N^L. For example, an alphanumeric pool (N = 62) at length 16 gives 62¹⁶ ≈ 4.77 × 10²⁸ possible strings.

Rejection sampling ensures uniform distribution. A random byte (0 - 255) is generated and accepted only if it falls below the largest multiple of N that fits in 256:

threshold = 256 − (256 mod N)

Bytes ≥ threshold are discarded and resampled, eliminating modulo bias.

Reference Data

Character Set	Pool Size (N)	Bits per Char	Length for 128-bit Entropy	Example Characters
Lowercase only	26	4.70	28	a - z
Uppercase only	26	4.70	28	A - Z
Digits only	10	3.32	39	0-9
Lowercase + Digits	36	5.17	25	a - z, 0-9
Alphanumeric (mixed)	62	5.95	22	a - z, A - Z, 0-9
Alphanumeric + Symbols	94	6.55	20	a - z, A - Z, 0-9, !@#$...
Hex (lowercase)	16	4.00	32	0-9, a - f
Hex (uppercase)	16	4.00	32	0-9, A - F
Base64 charset	64	6.00	22	A - Z, a - z, 0-9, +, /
Binary	2	1.00	128	0, 1
Octal	8	3.00	43	0-7
ASCII printable	95	6.57	20	Space through ~
Vowels only	10	3.32	39	a, e, i, o, u (both cases)
Consonants only	42	5.39	24	b - z minus vowels (both cases)
Ambiguity-free	57	5.83	22	Excludes 0/O, 1/l/I, 5/S

Frequently Asked Questions

Math.random() uses a PRNG (typically xorshift128+) seeded from a low-entropy source. Its output is deterministic and reconstructible if the internal state is captured. crypto.getRandomValues() draws from the OS entropy pool (/dev/urandom on Linux, BCryptGenRandom on Windows), producing output suitable for cryptographic key material per W3C Web Cryptography API specification.

When mapping a random byte (range 0-255, yielding 256 values) to a character pool of size N that does not evenly divide 256, a naive modulo operation creates bias. For example, with N = 62, indices 0-5 would appear with probability 5/256 while indices 6-61 appear with 4/256. Rejection sampling discards bytes ≥ 256 − (256 mod N), ensuring each character has exactly equal probability. The expected rejection rate is (256 mod N) / 256, which is negligible for most pool sizes.

Pattern mode scans the template character by character. "A" maps to a random uppercase letter (A - Z). "a" maps to a random lowercase letter (a - z). "9" maps to a random digit (0-9). "X" maps to a random uppercase hexadecimal character (0-9, A - F). "*" maps to any alphanumeric character. All other characters (hyphens, underscores, spaces) are treated as literal separators and passed through unchanged. Example: "AAA-9999" produces strings like "KMB-3821".

The generator calculates the maximum possible unique strings as N^L (pool size raised to string length). If your requested quantity exceeds this value, generation halts early and reports the actual number produced. For example, requesting 1000 unique 2-character binary strings is impossible since 2^2 = 4 unique combinations exist. The tool will produce 4 strings and warn you.

OWASP recommends session identifiers carry at least 128 bits of entropy. NIST SP 800-63B requires 112 bits minimum for authentication secrets. For API keys used in production, 256 bits provides a comfortable security margin. Use the entropy indicator displayed alongside your output to verify your configuration meets these thresholds.

Yes. Removing ambiguous characters (0, O, 1, l, I, 5, S) reduces the pool size N, which directly decreases bits-per-character. From a 62-character alphanumeric pool, excluding 7 ambiguous characters drops N to 55, reducing per-character entropy from 5.95 to 5.78 bits. The displayed entropy value always reflects the actual pool after all exclusions are applied.