User Rating 0.0 ★★★★★

Total Usage 0 times

Category Text Generators

Character Sets

Uppercase (A–Z) Lowercase (a–z) Digits (0–9) Symbols (!@#$%...) Exclude Ambiguous (0OlI1)

Custom Characters

Exclude Characters

Settings

String Length

Quantity

Prefix

Suffix

Separator (batch)

Presets

Pool: 0 chars | Entropy: 0 bits | Strength: —

Is this tool helpful?

Your feedback helps us improve.

★ ★ ★ ★ ★

About

Predictable identifiers cause collisions in databases, compromise session tokens, and weaken authentication layers. This generator uses the Web Crypto API (crypto.getRandomValues) to produce strings from a cryptographically secure pseudorandom number generator (CSPRNG), not Math.random. The output pool is constructed from user-selected character classes and filtered through rejection sampling to eliminate modulo bias. Entropy is computed as H = L × log₂(N), where L is string length and N is the effective pool size after exclusions. A pool of 62 characters (A - Z, a - z, 0-9) at length 16 yields approximately 95.3 bits of entropy. The tool approximates collision probability under the birthday paradox model. Note: entropy calculations assume uniform distribution, which holds only when the CSPRNG and rejection sampling are correctly applied.

Formulas

The entropy of a randomly generated string measures the number of possible combinations expressed in bits. Higher entropy means exponentially more brute-force attempts are required.

H = L × log₂(N)

Where H = total entropy in bits, L = length of the generated string, N = number of unique characters in the pool after exclusions.

Collision probability under the birthday paradox for k generated strings from a space of S = N^L possible strings:

P(collision) ≈ 1 − e^−k²2S

Where k = number of strings generated, S = N^L = total keyspace size. For 1 000 000 strings at 95.3 bits entropy, collision probability is approximately 1.3 × 10⁻¹⁷.

Rejection sampling removes modulo bias. A random 32-bit unsigned integer r is accepted only when r < limit, where limit = 2³² − (2³² mod N). This ensures each character index from 0 to N − 1 has equal probability.

Reference Data

Character Set	Pool Size (N)	Characters	Entropy per Char (bits)	Length for 128-bit Entropy
Digits only (0-9)	10	0123456789	3.32	39
Lowercase only (a - z)	26	abcdefghijklmnopqrstuvwxyz	4.70	28
Uppercase only (A - Z)	26	ABCDEFGHIJKLMNOPQRSTUVWXYZ	4.70	28
Upper + Lower	52	A - Z, a - z	5.70	23
Alphanumeric (default)	62	A - Z, a - z, 0-9	5.95	22
Alphanumeric + Symbols	95	All printable ASCII	6.57	20
Hex (uppercase)	16	0-9, A - F	4.00	32
Hex (lowercase)	16	0-9, a - f	4.00	32
Base64 charset	64	A - Z, a - z, 0-9, +, /	6.00	22
Binary (0-1)	2	01	1.00	128
Octal (0-7)	8	01234567	3.00	43
Ambiguity-safe set	57	Alphanumeric minus 0, O, l, I, 1	5.83	22
URL-safe	64	A - Z, a - z, 0-9, -, _	6.00	22
Consonants only	42	BCDFGHJKLMNPQRSTVWXYZbcdfghjklmnpqrstvwxyz	5.39	24
Vowels + digits	20	AEIOUaeiou0123456789	4.32	30

Frequently Asked Questions

Math.random uses a PRNG (typically xorshift128+) that is not cryptographically secure. Its internal state can be reconstructed from observed outputs, making generated tokens predictable. crypto.getRandomValues draws from the operating system's entropy pool (e.g., /dev/urandom on Linux, CryptGenRandom on Windows), producing output suitable for session tokens, API keys, and nonces. For any security-sensitive identifier, CSPRNG is mandatory.

When mapping a random 32-bit integer to a smaller range via r mod N, if 2³² is not evenly divisible by N, lower indices get slightly higher probability. Rejection sampling discards values of r above the largest multiple of N that fits in 32 bits. The rejection rate is at most 1/2³² per character for typical pool sizes, so performance impact is negligible.

Session tokens and CSRF tokens: minimum 128 bits (OWASP recommendation). Database primary keys (UUIDs): 122 bits (UUIDv4 standard). Short verification codes (SMS OTP): 20 - 30 bits with rate limiting. API keys for non-critical services: 80 - 128 bits. File naming to avoid collisions: 64 - 80 bits is typically sufficient.

When strings are read aloud, printed, or handwritten, characters like uppercase O and digit 0, or lowercase L and digit 1, are visually indistinguishable in many fonts. Excluding these 5 characters reduces the pool from 62 to 57, losing only 0.12 bits per character but eliminating transcription errors. Standards like Crockford's Base32 apply this principle.

No. Exclusions are applied at pool construction time, before any random sampling occurs. The effective pool is built as a single array of allowed characters. The CSPRNG then selects uniformly from this reduced pool. Entropy is recalculated against the actual pool size N after exclusions, so the displayed entropy metric remains accurate.

The generator supports lengths up to 1024 characters and batch sizes up to 500 strings. At maximum settings (1024 × 500 = 512 000 characters), generation completes in under 50 ms on modern hardware. The bottleneck is DOM rendering, not randomness generation. For larger batches, consider downloading as a text file.