Random Generators in JavaScript
Building secure random generators in JavaScript — crypto.getRandomValues, Math.random, and seed-based.
Published:
Tags: random generators JavaScript, crypto.getRandomValues JS, secure random JavaScript
Random Generators in JavaScript Part of our complete guide to this topic — see the full series. JavaScript has two random number systems: (the familiar one) and (the correct one for security). They are not interchangeable. Choosing the wrong one for security-sensitive code is the kind of subtle bug that doesn't show up in tests and only matters when an attacker is involved. --- What about Math.random(): What It Is and Isn't? returns a pseudo-random floating-point number in [0, 1). It is: Fast — typically 1–5 nanoseconds per call Deterministic — seeded from OS entropy at startup, but the algorithm is fixed Not cryptographically secure — internal state can be recovered from observed outputs Not seedable from JavaScript — the seed is set by the runtime The V8 engine (Chrome, Node.js) uses…
Frequently Asked Questions
How do I generate a secure random number in JavaScript?
Use crypto.getRandomValues(): const buf = new Uint32Array(1); crypto.getRandomValues(buf); const n = buf[0]; — this gives a uniform integer in [0, 2^32). To get a float in [0, 1): n / 0x100000000. The crypto.getRandomValues API is available in all modern browsers and Node.js 15+.
What is crypto.getRandomValues?
crypto.getRandomValues() is a browser and Node.js Web Crypto API method that fills a typed array with cryptographically secure random bytes sourced from the OS entropy pool (/dev/urandom on Linux, CryptGenRandom on Windows). It is the correct source for any random values that need to be unpredictable to an adversary.
When should I use Math.random vs crypto?
Use Math.random() for: simulations, games, generative art, shuffle order in non-security contexts, random UI colors, and any case where speed matters and predictability is not a risk. Use crypto.getRandomValues() for: tokens, session IDs, passwords, cryptographic keys, CSRF tokens, and any value that would cause security harm if guessed.
How do I generate a random UUID in JavaScript?
In modern environments, use crypto.randomUUID() — it returns a standard v4 UUID string directly. Example: const id = crypto.randomUUID(); // '110e8400-e29b-41d4-a716-446655440000'. For older environments, construct manually: const bytes = crypto.getRandomValues(new Uint8Array(16)); bytes[6] = (bytes[6] & 0x0f) | 0x40; bytes[8] = (bytes[8] & 0x3f) | 0x80; — then format as UUID.
How do I build a seeded random number generator?
Use a deterministic algorithm like xorshift32 or a linear congruential generator (LCG). Initialize with your seed value, then call next() for each random number. This is not cryptographically secure — use only for reproducible tests or simulations. Example: class SeededRng { constructor(s) { this.s = s >>> 0; } next() { this.s ^= this.s << 13; this.s ^= this.s >> 17; this.s ^= this.s << 5; return (this.s >>> 0) / 0x100000000; } }
All articles · theproductguy.in