Is Math.random() safe for passwords or API keys?

No. Math.random() is not cryptographically secure. Use the Web Crypto API in browsers or the crypto module in Node.js for security-sensitive values.

What length should I use for a secure random string?

A longer string increases entropy. A 16-character token is a solid baseline for many sessions, while 32 characters is a common default for API keys and long-lived secrets.

Security-friendly output

JavaScript Random String Generator

Generate random strings online for passwords, session tokens, verification codes, filenames, and API keys. The page focuses on secure browser generation first, then shows the matching JavaScript and Node.js code.

Open the generator Read the implementation guide

Generate secure random strings

Use the browser tool for passwords, API keys, verification codes, test fixtures, and one-off tokens.

Estimated entropy

143 bits

Length24 charactersNumber of strings

Custom characters

One-click presets

Output format

Generated output

Secure randomness powered by the Web Crypto API when available.

62 characters in charset

Click generate to create a new set of strings.

Good defaults

Use at least 16 characters for session tokens and 32 characters for API keys.
Use symbols only when the destination system accepts them.
For short verification codes, prefer digits only and increase the number of attempts you allow server-side.

Use the browser first

The generator is useful when you need output immediately and want to validate the final format before touching your codebase.

Then copy the snippet

Once the output looks right, use the Browser or Node.js examples below to move the same logic into your app.

Treat secrets differently

Passwords, session tokens, and API keys should use stronger defaults than human-facing verification codes or slugs.

Code examples

Use the browser example when you only need generation on the client. Switch to the Node.js version when the server owns token creation.

Browser example with crypto.getRandomValues()

function generateRandomString(length, alphabet) {
  const chars = alphabet || "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
  const values = new Uint8Array(length);
  crypto.getRandomValues(values);

  return Array.from(values, (value) => chars[value % chars.length]).join("");
}

const sessionToken = generateRandomString(32);

Node.js example with crypto.randomBytes()

import { randomBytes } from "crypto";

function generateRandomString(length, alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789") {
  const bytes = randomBytes(length);
  return Array.from(bytes, (value) => alphabet[value % alphabet.length]).join("");
}

const apiKey = generateRandomString(32);

When to use which format

Passwords

Longer strings with symbols can improve strength, but only if the destination system accepts those characters.

Verification codes

Short numeric codes are easier to read and type, but they should expire quickly and limit retries.

Slugs and filenames

A shorter, readable character set is often better than maximum entropy when humans still need to handle the value.

Frequently asked questions

How do I generate a random string in JavaScript?

Use the Web Crypto API in the browser or the crypto module in Node.js. Generate random bytes first, then map those bytes to a character set such as letters, digits, or symbols.

Why not use Math.random() for passwords or API keys?

Math.random() is not cryptographically secure. It can be fine for visual effects or simple demos, but not for secrets, tokens, or anything security-sensitive.

Can I make the strings easier to read?

Yes. Excluding ambiguous characters such as 0 and O or 1 and l makes copy-paste and manual entry less error-prone, especially for support workflows.