Computers Cannot Be Random
A computer executes instructions deterministically — the same input always produces the same output. This is a fundamental property of how processors work. So when you ask a computer for a random number, it faces a philosophical problem: how can a deterministic machine produce something unpredictable?
The answer is that it usually does not produce true randomness. Instead, it uses algorithms that produce sequences of numbers that appear random — they pass statistical tests for randomness, have no discernible pattern, and are uniformly distributed. These are called pseudorandom number generators (PRNGs).
Pseudorandom Number Generators (PRNGs)
A PRNG starts with a seed value — an initial number. It then applies a mathematical formula to produce the next number, uses that number to produce the following one, and so on. The sequence is entirely determined by the seed: the same seed always produces the same sequence.
The art of PRNG design is creating formulas where the output sequence has good statistical properties: uniform distribution, long period before repeating, and no correlation between consecutive values.
Common PRNGs include the Mersenne Twister (used by many programming languages as the default), xorshift variants, and linear congruential generators.
The critical point: PRNGs are deterministic. If an attacker knows the algorithm and the seed, they can predict every "random" number the generator will produce. For games, simulations, and statistics, this is fine. For security applications, it is not.
Cryptographically Secure PRNGs (CSPRNGs)
When randomness matters for security — generating encryption keys, authentication tokens, session IDs, or passwords — you need a CSPRNG. These generators are designed so that even if an attacker sees previous outputs, they cannot predict future outputs.
CSPRNGs typically use entropy from the physical environment as seed material: timing of hardware interrupts, mouse movements, keyboard input timing, disk seek times, and thermal noise from hardware components. This entropy is continuously mixed into the generator's state.
In browsers, the Web Crypto API (crypto.getRandomValues()) provides access to the operating system's CSPRNG. This is what security-sensitive applications should use — never Math.random().
Math.random() Is Not Random Enough
JavaScript's Math.random() is a standard PRNG. It is fast, produces decent statistical distribution, and is perfectly fine for:
- Shuffling a playlist
- Choosing a random color
- Placing elements randomly in a game
- Statistical simulations
It is NOT suitable for:
- Generating passwords
- Creating session tokens
- Producing UUIDs
- Any security-sensitive application
The output of Math.random() is predictable if the internal state is known. In some browser engines, the implementation uses algorithms where the state can be recovered from a small number of observed outputs.
True Random Number Generators (TRNGs)
True randomness comes from physical processes: radioactive decay, atmospheric noise, thermal noise in electronic circuits, or photon behavior. Hardware random number generators measure these physical phenomena and convert them into random bits.
Most modern CPUs include hardware random number generators (Intel's RDRAND instruction, for example). Operating systems use these, combined with other entropy sources, to seed their CSPRNGs.
For most applications, a well-seeded CSPRNG is indistinguishable from true randomness. TRNGs matter primarily in cryptographic key generation for extremely high-security applications.
How to Use the Toobits Random Number Generator
Set your minimum and maximum values and generate random numbers instantly. The generator uses the Web Crypto API (crypto.getRandomValues()) for cryptographically secure randomness — suitable for any application. Generate single numbers or lists of multiple random values. Everything runs in your browser with no data sent to any server.