Cryptographic Random vs Math.random: Which Is Secure?
Table of Contents
Almost every "random number generator" website on the internet uses JavaScript's Math.random(). It is one line of code, it works, and for picking a movie tonight it is fine. For lottery picks, password seeds, raffle winners, or anything where the result has value, it is the wrong choice. Here is why, in language non-developers can follow.
free random number generator uses window.crypto.getRandomValues instead — the browser's cryptographic random source. The difference matters more than most people realize.
The Core Difference
Math.random() is a pseudo-random number generator (PRNG). It runs a deterministic mathematical formula starting from a "seed" value. Same seed in, same sequence of "random" numbers out. Fast, reproducible, predictable if you know the seed.
window.crypto.getRandomValues() is a cryptographically secure pseudo-random number generator (CSPRNG). It mixes in real entropy from the operating system — hardware noise, mouse movements, keyboard timing, network jitter — and uses a cryptographic algorithm that cannot be reversed even if you observe many output values.
The key difference: with Math.random, an attacker who sees a few output values can predict the next ones. With crypto.getRandomValues, they cannot — even with infinite compute.
Why Math.random Is Predictable
Pseudo-random algorithms like the one behind Math.random use a small internal state — typically 32 to 128 bits. After observing 5-10 consecutive output values, an attacker can solve for the internal state and predict every future value with 100% accuracy.
Researchers have demonstrated this against most JavaScript PRNGs. There are public proof-of-concept attacks against the Math.random implementations in Chrome, Firefox, and Safari from various browser versions. None of them are theoretical; all have working code.
This is fine when randomness is just for entertainment. It is catastrophic for anything where someone might want to predict your next "random" value.
Sell Custom Apparel — We Handle Printing & Free ShippingReal-World Cases Where This Matters
- Online poker: Multiple online card sites have been exploited because their shuffle used Math.random. Players cracked the PRNG and predicted future deals.
- Password generators: A password generator using Math.random produces passwords an attacker can predict given a few sample outputs.
- Session tokens: If a web app generates session tokens with Math.random, an attacker can predict valid tokens for other users.
- Lottery/giveaway tools: A "random winner picker" using Math.random can theoretically be exploited by anyone who watches enough public picks.
- Cryptographic key generation: Catastrophic — anyone using Math.random for key generation has produced trivially breakable keys.
For all of these, use crypto.getRandomValues. Always.
When Math.random Is Fine
Use Math.random when:
- You are picking a movie, restaurant, song, or any low-stakes choice
- You are generating sample data for a tutorial or demo
- You are running a Monte Carlo simulation
- You are seeding a game world or simulation
- Performance matters and you need millions of values per second
For everything else, use crypto.getRandomValues. The performance difference is microseconds — invisible to humans.
How to Tell Which a Tool Uses
Most "random number generator" sites do not say which they use. The honest test: open the page in your browser, view the page source (right-click → View Page Source), and search for "Math.random" or "crypto.getRandomValues."
If you see Math.random, the tool is pseudo-random. If you see crypto.getRandomValues, it is cryptographically secure. our random number generator uses the secure source — you can verify by viewing the source.
Some tools call themselves "secure" or "true random" while using Math.random. The check is the source code, not the marketing copy.
Generate Random Numbers Now
Set your range, pick how many, optionally avoid duplicates. Cryptographically secure, runs in your browser, nothing logged.
Open Random Number GeneratorFrequently Asked Questions
Is Math.random good enough for lottery picks?
No. Use a cryptographically secure source for anything where the result has value or could be exploited if predicted.
Is window.crypto.getRandomValues truly random?
It is cryptographically secure pseudo-random — statistically indistinguishable from true random for any practical use, including cryptographic key generation.
How can I check if a website uses crypto random?
View the page source and search for "crypto.getRandomValues" or "Math.random". The first is secure; the second is not.