Genfy
Tech

Random String Generator

Generate random strings with the alphabet and length you need. Useful for tokens, slugs, short IDs, test data and unique filenames.

Instant🔒In your browserNo signup
Live

When to use a random string

Random strings serve very different purposes depending on context. They're not the same as a password, even though they're generated the same way underneath. Common cases:

  • Internal tokens: beta invitation codes, signed download links, password reset tokens.
  • Short IDs: a shorter alternative to UUID when readability or length matters (URL slugs, visible IDs).
  • Unique filenames: to prevent collisions when uploading to S3, R2 or GCS.
  • Test data: filling text fields in seeds and fixtures without making them look realistic.
  • Coupon codes: when you want something shorter than a UUID but still secure.

Choosing the alphabet

The alphabet affects readability, entropy per character, and where you can use the string.

  • Digits only (10): 3.32 bits/char. For one-time codes (OTP).
  • Lowercase alphanumeric (36): 5.17 bits/char. Good for URL slugs.
  • Base62 (62): 5.95 bits/char. Standard for short IDs and tokens.
  • Hex (16): 4 bits/char. Compatible with almost everything.
  • With symbols (~95): 6.57 bits/char. Only when the destination supports them.

How entropy is calculated

The formula is bits = length × log2(N), where N is the alphabet size. Practical examples:

  1. 16 alphanumeric characters = 95 bits. Plenty for any internal token.
  2. 21 base62 characters = 125 bits. The nanoid default.
  3. 32 hex = 128 bits. Equivalent to a UUID v4.
  4. 43 base62 = 256 bits. For master encryption keys.

Below 64 bits, assume an attacker can brute-force it. Above 128 bits, it's out of reach even with massive compute.

Token best practices

  • If the token goes in a URL, avoid symbols that need escaping.
  • If humans will read it, skip ambiguous characters (0, O, 1, l, I).
  • Store a hash if the token is used for authentication, not plaintext.
  • Give it a real expiration, not infinite.
  • Log usage (creation, first use, last use at minimum).

When NOT to use this generator

Don't use it as a primary password for a human account — the password generator is tuned for that. Don't use it for IDs that need to be coordinated across distributed systems — UUID v4 or v7 is the right tool there. And don't use it for data that has to be stable: every generation produces something different, unless you copy and paste.

FAQ

How is this different from the password generator?

This produces strings with any alphabet and length. The password generator is optimized for human login with a strength meter.

Can I use it as a short ID like nanoid?

Yes. Base62 with length 21 gives ~125 bits, same as nanoid by default.

How is entropy calculated?

bits = length × log2(alphabet size). 16 characters from a 36-symbol set ≈ 82 bits.

Can I use it for passwords?

Yes, but the dedicated password generator has a more polished UI for that case.

Was this generator useful?

Other generators you might like

🔐 Online Base64 Encoder Encode text to Base64 instantly. Supports UTF-8, URL-safe variant and files. Runs entirely in your browser, no data sent. Tech 🔐 Morse Code Translator Translate text to Morse code and back. Full international table: letters, numbers and punctuation. Ideal for ham radio, scouts and curious learners. Tech 🔐 Online Base64 Decoder Decode Base64 text to UTF-8 instantly. Supports URL-safe variant and missing padding. Runs entirely in your browser. Tech 🔐 Online JWT Decoder Decode JSON Web Tokens instantly: header, payload and signature. Inspect claims, expiration and algorithm. 100% in your browser. Tech