Guide · 6-digit OTPs & codes
Random 6-Digit Number Generator
Updated: June 2026
The six-digit code is everywhere — it's the format behind one-time passwords, two-factor logins, email confirmations and short reference IDs. Six digits hit a sweet spot: a million combinations is hard to guess in a short window, yet still quick to read aloud or type. This guide shows how to generate one properly, why the range size matters, and when security demands a cryptographic source.
Free · No upload · Instant in the browser
How to generate one
Set the minimum to 0 and the maximum to 999999, leave How many at 1, and generate. That covers every six-digit code from 000000 to 999999 — one million in total. If you need a code that never starts with a zero, set the minimum to 100000 instead, which limits results to 100000–999999.
Real OTP systems keep leading zeros — a code shown as 004217 is valid and uses the full keyspace. There's no security reason to throw away the 100,000 codes that begin with zero, so allow them.
Why six digits?
Six digits balance two competing needs: enough entropy to resist guessing, and few enough characters to type comfortably. A million combinations means a single random guess succeeds only 1 in 1,000,000 times. Pair that with a short validity window — typically 30 to 60 seconds for an authenticator code — and a few allowed attempts, and brute force becomes hopeless: an attacker would need hundreds of thousands of tries inside a one-minute window.
| Length | Combinations | Typical use |
|---|---|---|
| 4 digits | 10,000 | Card and phone PINs |
| 6 digits | 1,000,000 | OTP, 2FA, email codes |
| 8 digits | 100,000,000 | Longer backup codes |
That's why authenticator apps and SMS verification almost universally settle on six. It's secure enough for short-lived codes without being a chore to enter.
Always use crypto-secure for codes
For a verification code or OTP, turn on Crypto-secure without exception. A code that grants access must be unpredictable, and the default pseudo-random source is, in theory, reconstructable from its internal state. The crypto-secure option uses crypto.getRandomValues, the browser's cryptographic generator, producing values no one can anticipate. For anything tied to authentication, this is non-negotiable.
Batches and uniqueness
Generating codes for many users or test cases at once? Raise How many to produce a batch, and switch on No repeats (unique) if every code must differ. With a million possible values you can draw a large number of unique six-digit codes before the pool gets tight. Typical uses include:
- One-time passwords and two-factor codes.
- Email or SMS confirmation codes.
- Short numeric reference or booking IDs.
- Test fixtures that mimic real OTP formats.
Generated only on your device
Every code is created locally in your browser and never uploaded. For codes that protect accounts, that locality is part of the security story — there's no server log, no network request, nothing to intercept. The page even works offline once loaded.
Frequently asked questions
How do I generate a random 6-digit number?
Set the range from 0 to 999999 (or 100000 to 999999 to avoid leading zeros) and generate. There are one million codes from 000000 to 999999.
Why are OTPs six digits?
Six digits give a million combinations — hard to guess in a short window, yet easy to type. Most 2FA and OTP systems use six for that balance.
Is a 6-digit code secure enough?
For short-lived codes with limited attempts, yes. A million combinations plus a brief validity window make guessing impractical, especially with the crypto-secure source.
Are leading zeros kept?
Yes. Set the minimum to 0 and a result like 004217 is valid, using the full million-code keyspace.