Why do not use Math.random()

What’s the risk?

Using pseudorandom number generators (PRNGs) is security-sensitive. For example, it has led in the past to the following vulnerabilities:

Are you at risk?

Ask Yourself Whether

  • the function you use generates a value which can be predicted (pseudo-random).
  • the generated value is used multiple times.
  • an attacker can access the generated value.

Cryptographically strong generation method

(function(){
var buf = new Uint8Array(1);
window.crypto.getRandomValues(buf);
alert(buf[0]);
})();

Summary

  • You can use Math.random() when the expected value does not compromise the app.
  • It’s difficult for a web page to detect whether Math.random() is
    actually cryptographically strong or whether it’s a weak RNG.
  • Use strong generation methods as Crypto.getRandomValues() when required.

Sources

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store