Secure Random Number Generation: When Math.random() Isn't Enough
Math.random() is fine for shuffling a playlist but dangerous for passwords, tokens, and cryptographic applications. Learn when and how to use cryptographically secure random generators.
๊ฐ์ง ๋ฐ์ดํฐ ์์ฑ๊ธฐ
ํ ์คํธ์ฉ ๊ฐ์ง ๋ฐ์ดํฐ ์์ฑ
The Problem with Math.random()
JavaScript's Math.random() and similar standard library random functions use pseudorandom number generators (PRNGs). Given the seed, the entire sequence is predictable. This is fine for games, simulations, and UI effects, but disastrous for security-sensitive applications.
When You Need CSPRNG
Use a Cryptographically Secure Pseudo-Random Number Generator (CSPRNG) for: password generation, session tokens, API keys, encryption keys, CSRF tokens, one-time passwords, and any value an attacker could benefit from predicting.
Platform-Specific APIs
In browsers, use crypto.getRandomValues() which draws from the operating system's entropy pool. In Node.js, use crypto.randomBytes() or crypto.randomUUID(). In Python, use secrets.token_hex(), secrets.token_urlsafe(), or secrets.choice(). Never implement your own random number generator for security purposes.
Common Mistakes
Using Math.random() for token generation โ an attacker can predict subsequent tokens after observing enough output. Seeding a PRNG with a predictable value (timestamp, PID) โ the attacker can reproduce the seed. Reducing entropy by truncating random output โ a 128-bit random value truncated to 32 bits has only 32 bits of security. Using modulo to restrict range โ random % n introduces bias when n doesn't divide evenly into the PRNG's output range.
Entropy Sources
Operating systems gather entropy from hardware events: disk I/O timing, network packet timing, mouse movements, keyboard input. /dev/urandom (Linux) and CryptGenRandom (Windows) maintain entropy pools that CSPRNG functions draw from. On headless servers with minimal I/O, consider hardware random number generators (Intel RDRAND, ARM RNDR) for additional entropy.
๊ด๋ จ ๋๊ตฌ
๊ด๋ จ ํฌ๋งท
๊ด๋ จ ๊ฐ์ด๋
How to Generate Strong Random Passwords
Password generation requires cryptographic randomness and careful character selection. This guide covers the principles behind strong password generation, entropy calculation, and common generation mistakes to avoid.
UUID vs ULID vs Snowflake ID: Choosing an ID Format
Choosing the right unique identifier format affects database performance, sorting behavior, and system architecture. This comparison covers UUID, ULID, Snowflake ID, and NanoID for different application requirements.
Lorem Ipsum Alternatives: Realistic Placeholder Content
Lorem Ipsum has been the standard placeholder text since the 1500s, but realistic placeholder content produces better design feedback. This guide covers alternatives and best practices for prototype content.
How to Generate Color Palettes Programmatically
Algorithmic color palette generation creates harmonious color schemes from a single base color. Learn the math behind complementary, analogous, and triadic palettes and how to implement them in code.
Troubleshooting Random Number Generation Issues
Incorrect random number generation causes security vulnerabilities, biased results, and non-reproducible tests. This guide covers common RNG pitfalls and how to verify your random numbers are truly random.