Random Number Generator: Cryptographically Secure Methods

Random numbers power everything from lottery systems and gaming to encryption and security tokens. But not all "random" numbers are truly random — many are predictable if you know the algorithm. Understanding the difference between pseudo-random and cryptographically secure random numbers is critical for security-sensitive applications.

This guide explains types of randomness, when to use each, and how to generate truly secure random numbers using ToolMix's free random number generator powered by the Web Crypto API.

True Random vs Pseudo-Random Numbers

There are two main types of random number generation:

• •True Random (TRNG) — Uses physical processes (radiation decay, electrical noise) to generate unpredictable numbers
• •Pseudo-Random (PRNG) — Uses algorithms that produce sequences that appear random but are deterministic
• •Cryptographically Secure (CSPRNG) — Pseudo-random but unpredictable enough for security purposes

When to Use Cryptographically Secure Random Numbers

• •Security tokens — Session IDs, CSRF tokens, API keys
• •Encryption — Generating encryption keys and initialization vectors
• •Passwords — Creating secure random passwords
• •Gambling — Fair casino games, lottery numbers
• •Authentication — One-time passwords (OTP), 2FA codes
• •Security testing — Generating test data for security scenarios

When Pseudo-Random Is Sufficient

• •Simulations — Monte Carlo simulations, scientific modeling
• •Gaming (non-gambling) — Video game enemy spawns, loot drops
• •Test data generation — Creating sample datasets
• •Visual effects — Particle systems, procedural generation
• •Load balancing — Random server selection

How to Generate Secure Random Numbers

// JavaScript - Cryptographically secure
const array = new Uint32Array(10);
crypto.getRandomValues(array);
console.log(array);  // [2891336453, 1535304856, ...]

// Python - Cryptographically secure
import secrets
random_number = secrets.randbelow(100)  // Random number 0-99
random_bytes = secrets.token_bytes(16)  // 16 random bytes

// PHP - Cryptographically secure
$randomNumber = random_int(1, 100);  // Random number 1-100
$randomBytes = random_bytes(16);     // 16 random bytes

Common Random Number Mistakes

• •Using Math.random() for security — Not cryptographically secure in JavaScript
• •Small random pools — Insufficient entropy makes numbers predictable
• •Reusing seeds — Same seed produces same sequence
• •Biased modulo operations — number % n creates bias for large ranges
• •Not checking for duplicates — Random doesn't mean unique

Generating Random Numbers in Different Ranges

// JavaScript - Random integer between min and max
function getRandomInt(min, max) {
  const range = max - min + 1;
  const array = new Uint32Array(1);
  crypto.getRandomValues(array);
  return min + (array[0] % range);
}

// Python
import secrets
random_num = secrets.randbelow(max - min + 1) + min

// Floating point between 0 and 1
function getRandomFloat() {
  const array = new Uint32Array(1);
  crypto.getRandomValues(array);
  return array[0] / (0xFFFFFFFF + 1);
}

Testing Randomness Quality

Good random number generators should pass statistical tests:

• •Frequency test — Each number appears with equal probability
• •Runs test — Sequences of increasing/decreasing numbers are random
• •Chi-squared test — Distribution matches expected patterns
• •Correlation test — Numbers don't correlate with previous numbers

Best Practices

• •Use crypto libraries — Never implement your own random number generator
• •For security, use CSPRNG — Always use cryptographically secure methods for tokens, keys, etc.
• •Gather sufficient entropy — Ensure your system has enough randomness
• •Avoid predictable seeds — Don't seed with time() or process IDs
• •Test your implementation — Verify random numbers are distributed correctly

Frequently Asked Questions