Random String Generator

Frequently Asked Questions

PHP's random_int() and random_bytes() use the operating system's CSPRNG (cryptographically secure pseudo-random number generator). While modern browsers also expose crypto.getRandomValues(), server-side generation ensures the randomness is never exposed to client-side JavaScript that could be intercepted by browser extensions or scripts on the page.

Hex strings (0–9 a–f) are URL-safe and often used for session tokens, CSRF tokens, and API keys. A 32-character hex string contains 128 bits of entropy (since each hex digit encodes 4 bits), which is widely considered sufficient for security tokens.

How Random String Generation Works

Every string is generated server-side using PHP's CSPRNG — cryptographically secure pseudo-random number generator — for maximum unpredictability.

Build Character Pool

The selected charset (alphanumeric, hex, symbols, or custom) is assembled into a pool string. The pool's length determines the entropy per character: a 62-char alphanumeric pool gives log₂(62) ≈ 5.95 bits per character.

Cryptographic Index Selection

For each position, PHP's random_int(0, strlen($pool)-1) picks a uniformly random index using the operating system's entropy source (e.g., /dev/urandom on Linux). No modular bias is introduced.

Return as JSON Array

The requested number of strings (up to 50) are generated in a single PHP request and returned together. Each string is independently random — no two are derived from each other.

Common Use Cases

API Keys & Access Tokens

Generate 32–64 character hex or alphanumeric strings for API keys. Store only the hash (see Hash Generator), never the plaintext key, to limit exposure on database breach.

CSRF & Session Tokens

Session IDs and CSRF tokens must be unpredictable. A 32-char hex token (128 bits of entropy) meets OWASP's minimum recommendations. Generate fresh tokens here to use in security testing or prototype apps.

Email Verification Codes

A 6–8 character numeric or alphanumeric token is easy for users to copy from email. Generate verification codes for email confirmation, SMS OTP, and 2FA flows with the numeric or short-alphanumeric preset.

Short URL Slugs

6–8 character alphanumeric strings make collision-resistant, URL-safe slugs for short links, invite codes, and shareable resource IDs. The 62-character pool gives 56 billion unique combinations at length 6.

Encryption Secrets & Salts

Application secret keys (for AES, JWT signing, cookie encryption) should be 32+ character hex strings (256-bit). Generate one here when bootstrapping a new application environment.

Database Seed Data

When seeding a test database with randomized records, generate batches of up to 50 strings at once for usernames, order numbers, SKUs, and other string fields that need to be unique and realistic-looking.