About Random String Generator

Secure random strings — hex, base64, base58, symbols, custom length. Part of the DevTools Surf developer suite. Browse more tools in the Generators collection.

Use Cases

• Generate one-off API keys for dev/staging environments
• Create unique test fixtures with specific formats
• Produce credentials for local secret files
• Generate entropy for dev-only encryption demos

Tips

• Set charset=alnum|hex|HEX|base58|base64|numeric|alpha|symbols
• Up to 500 strings per run, up to 512 chars each
• base58 strips 0, O, I, l to avoid visual ambiguity

Fun Facts

• base58 was invented for Bitcoin addresses — it's base64 minus the characters that look alike (0/O, 1/I/l) and the non-alphanumeric +/ symbols.
• The Web Crypto API's getRandomValues() uses the OS CSPRNG (/dev/urandom on Linux, BCryptGenRandom on Windows), making browser-generated random strings cryptographically secure.
• A random 22-character base62 string has ~131 bits of entropy — comparable to a UUID v4's 122 bits but without the dashes and fixed format.

FAQ

What character sets?

Hex, base64, base64url, base58 (no ambiguous chars), alphanumeric, plus custom sets. Pick the one your downstream system expects.

Is it crypto-secure?

Yes — uses `crypto.getRandomValues`, the browser's CSPRNG. Safe for API keys, session tokens, and any security-sensitive randomness.

How long should I make it?

16 hex chars: 64 bits of entropy (guessable in theory, fine for non-adversarial IDs). 32 hex: 128 bits (uncrackable). 48+ for high-security tokens.

What about URL-safe output?

base64url and base58 are URL-safe (no +, /, or = characters). Hex is always URL-safe. Regular base64 needs URL encoding when put in query strings.