// Security / Developer
Random String Generator online
Generate cryptographically random strings, tokens, passwords, and UUIDs
by
CHUNKY
MUNSTER
MUNSTER
This generator pulls bytes directly from the browser's CSPRNG — window.crypto.getRandomValues — and maps them onto your chosen alphabet. Built-in presets cover alphanumeric, hex, and base64url; a custom field lets you supply any character set you need. Output is always cryptographically random, which matters for anything that grants access.
Length controls the strength: 16 hex characters give 64 bits of entropy (good for opaque IDs), 32 base64url characters give 192 bits (overkill for almost any session token), and 22 base64url characters give 128 bits (ideal for UUID-strength identifiers). For the canonical RFC 4122 form, switch on UUID v4 mode and the tool emits the standard 8-4-4-4-12 hex layout.
Yes. The string is built from bytes returned by window.crypto.getRandomValues(), which is the browser's standards-mandated CSPRNG. It is suitable for API tokens, session secrets, and other security-sensitive values.
Math.random() is a deterministic pseudo-random generator seeded from the page environment — fast, but predictable enough that it has been broken in published research. crypto.getRandomValues() is seeded by the operating system's entropy pool and designed to resist prediction.
Base64url is base64 with "+" and "/" replaced by "-" and "_", and no "=" padding. The result is URL-safe, cookie-safe, and JSON-safe without escaping — the de-facto standard for opaque tokens, JWT segments, and OAuth state values.
For a 32-character base64url token (192 bits) the collision probability across the lifetime of the universe is effectively zero. Shorter strings collide more easily; under 16 hex characters you should expect occasional duplicates in very large batches.
Explore the full suite of Security tools and 290+ other free utilities at Chunky Munster.