Cryptographically random strings via crypto.getRandomValues. Use for passwords, API keys, or session tokens.
Character sets
Select your desired length (8–128) and which character sets to include — uppercase, lowercase, numbers, and symbols. Click Generate (or Regenerate) to produce a new string using crypto.getRandomValues(), the browser's cryptographically secure random number generator. Nothing leaves your browser.
The tool uses crypto.getRandomValues(), which draws entropy from the operating system's hardware pool. Unlike Math.random(), it is unpredictable even if an attacker knows previous outputs — making it safe for secrets.
Session tokens, API keys, CSRF tokens, one-time passwords, unique file names, and any secret that must be unguessable.
For session tokens and API keys, 32–64 characters from a mixed charset provides 190–380 bits of entropy. For short one-time codes, 8–12 alphanumeric characters is typically sufficient.
No. Math.random() is a deterministic algorithm that can potentially be predicted. Always use crypto.getRandomValues() (browser) or crypto.randomBytes() (Node.js) for security-sensitive randomness.
More free tools