RandomStringUtils

About

RandomStringUtils is a utility class from Apache Commons Lang that provides static methods for generating random strings.

It is useful for:

  • Generating random IDs

  • Temporary passwords

  • Test data

  • Nonces or tokens

  • Unique filenames

Unlike java.util.Random or UUID, RandomStringUtils allows full control over the characters used, the length of the string, and whether to include letters, numbers, or a custom character set.

Characteristics

  • All methods are static.

  • Allows control over string length, character composition, and custom characters.

  • Works well for mock data generation, test automation, and security use-cases.

  • Internally uses java.util.Random, not cryptographically secure.

Maven Dependency & Import

Common Methods

1. random(int count)

Generates a random string of given length, using letters and numbers.

2. randomAlphabetic(int count)

Generates a string with only alphabetic characters (A–Z, a–z).

3. randomAlphanumeric(int count)

Generates a string with letters and digits.

4. randomNumeric(int count)

Generates a string with only digits.

5. randomAscii(int count)

Generates a string with printable ASCII characters (32–126).

6. random(int count, char[] chars)

Generates a random string using custom character set.

7. random(int count, boolean letters, boolean numbers)

Generates a string with option to include only letters, only numbers, or both.

Important Notes

  1. It is not cryptographically secure. Do not use it for secure password generation or tokenization.

What it means:

  • RandomStringUtils uses a regular random number generator under the hood (java.util.Random), which is fast but predictable.

  • If someone knows how it generates values, they could guess or reproduce the random strings.

  • This makes it unsafe for sensitive data such as:

    • Passwords

    • Access tokens

    • Session IDs

    • API keys

    • Encryption keys

Why it's a problem:

  • In a secure system, these values must be unpredictable and unique, even if someone knows the logic.

  • Using a weak random generator could allow attackers to guess valid values, leading to security breaches.

  1. For secure use cases, prefer java.security.SecureRandom or UUID.randomUUID().

What to use instead:

  1. SecureRandom

    • It’s designed for cryptographic use and generates random numbers that are hard to predict.

    • Example:

    • Use cases:

      • Token generation

      • Password reset links

      • Secure OTPs

      • Any sensitive data

  2. UUID.randomUUID()

    • Generates a universally unique identifier (UUID) using cryptographically strong random values (on most JVMs).

    • Example:

    • Safe for:

      • Unique IDs

      • Tracking identifiers

      • Public reference codes

    • Not ideal for:

      • Short random strings

      • Human-friendly formats (too long and complex)

Comparison: RandomStringUtils vs Alternatives

Feature

RandomStringUtils

UUID

SecureRandom

Custom length

Yes

No (always 36 chars)

Yes

Custom characters

Yes

No

Yes (manual)

Letters/numbers only

Yes

No

Yes (manual)

Cryptographically secure

No

Yes

Yes

Simple and quick

Yes

Yes

No (more code required)

PreviousSystemUtilsNextDateUtils

Last updated