Hex Password Generator
Generate passwords using only hexadecimal characters (0-9, a-f).
About This Tool
Generate passwords using only hexadecimal characters (0-9, a-f). All operations are performed entirely in your browser for maximum security. No data is ever sent to any server.
crypto.getRandomValues(), a cryptographically secure random number generator built into your browser.
What is Hexadecimal?
Hexadecimal (base-16) uses 16 symbols: digits 0–9 and letters a–f. Each hex character represents exactly 4 bits (a nibble), making hex the natural language of binary data. Two hex characters represent one byte (8 bits), so a 32-character hex string encodes 16 bytes of data. This tight relationship between hex and bytes is why cryptographic tools overwhelmingly prefer hex output — it is unambiguous, compact, and maps directly to the underlying binary.
Entropy and Security
Each character in a hex string contributes exactly log₂(16) = 4 bits of entropy. A string of N hex characters has 4N bits of entropy total:
- 32 hex characters (16 bytes): 128 bits — standard for AES-128 keys and session tokens
- 40 hex characters (20 bytes): 160 bits — SHA-1 output length
- 64 hex characters (32 bytes): 256 bits — AES-256 key length, SHA-256 output
- 128 hex characters (64 bytes): 512 bits — SHA-512 output length
For comparison, a 32-character alphanumeric password (62 possible characters) has about 190 bits of entropy, while a 32-character hex string has only 128 bits. Hex trades some entropy density for universal compatibility — every system can handle digits and the letters a–f without escaping.
Common Uses for Hex Strings
Hex-encoded random strings appear throughout software engineering:
- Encryption and MAC keys: AES, HMAC, and other symmetric algorithms expect keys as hex or raw bytes. A 64-character hex string is a valid AES-256 key.
- Hash values: MD5 (32 hex chars), SHA-1 (40), SHA-256 (64), SHA-512 (128) are all displayed as hex strings.
- Database record IDs: Some systems use 32-character hex strings (similar to UUIDs without hyphens) as primary keys.
- Git commit hashes: Every git commit is identified by a 40-character SHA-1 hex string (or 64-character SHA-256 in newer repositories).
- Color codes: CSS and design tools use hex to represent RGB colors (#rrggbb).
- Nonces and IVs: Cryptographic initialization vectors and nonces are generated as random hex strings.
Hex vs. Base64 vs. Alphanumeric
Hex strings are longer than Base64 (2 chars per byte vs. 1.33 chars per byte) but have two advantages: they contain only alphanumeric characters (making them safe anywhere without escaping), and they are case-insensitive (0-9a-f and 0-9A-F represent the same values). Base64 is more compact but contains +, /, and = that may need escaping in URLs and configuration files. Choose hex when brevity does not matter and maximum compatibility is required.
Frequently Asked Questions
When is hex format useful?
Hex is commonly used for encryption keys, hashes, tokens, and anywhere that requires a compact representation of binary data. It is also the standard output format for cryptographic hash functions like SHA-256.
What is the entropy of a hex string?
Each hex character provides 4 bits of entropy (log2(16) = 4). A 32-character hex string has 128 bits of entropy, which is the standard for AES-128 keys. A 64-character string has 256 bits, matching AES-256.
Should I use lowercase or uppercase hex?
Both represent the same values. Lowercase (a-f) is more common in modern software and is the output format of most hash functions. Uppercase (A-F) is sometimes seen in older systems and hardware documentation. Choose whichever your target system expects.
How many hex characters do I need?
For session tokens and API keys, 32 characters (128 bits) is the practical minimum. For encryption keys matching AES-256, use 64 characters. For general-purpose secrets where you want a comfortable margin, 40–64 characters is a solid choice.