Random Number Generators Explained: True Random vs. Pseudorandom

What Is Randomness?

In everyday language, "random" means unpredictable. In mathematics and computing, randomness has a precise meaning: a sequence is random if knowing all previous values gives no advantage in predicting the next one. Achieving true randomness in a deterministic machine is fundamentally difficult — computers follow exact instructions, which is the opposite of unpredictability. The solutions to this problem fall into two broad categories: pseudorandom number generators (PRNGs) and true random number generators (TRNGs).

Pseudorandom Number Generators (PRNGs)

A PRNG is a deterministic algorithm that produces a sequence of numbers that appears random but is entirely determined by an initial value called the seed. Given the same seed, a PRNG always produces the same sequence. This might sound like a flaw, but it is actually a useful property in many contexts.

The most widely used modern PRNG is the Mersenne Twister, which has a period of 2^19937 − 1 (meaning it produces that many values before repeating). It passes almost all statistical randomness tests. Most general-purpose random functions in programming languages — Python's random module, Java's java.util.Random, JavaScript's Math.random() — use a PRNG under the hood.

The critical limitation: PRNGs are not cryptographically secure. If an attacker can observe a sufficient number of outputs, they can reconstruct the internal state and predict all future outputs. For anything security-sensitive, PRNGs must not be used.

Cryptographically Secure PRNGs (CSPRNGs)

A CSPRNG is a PRNG designed to be computationally infeasible to predict, even with knowledge of previous outputs. It achieves this through cryptographic one-way functions and is seeded from a source of genuine entropy. Operating systems provide CSPRNGs through interfaces like /dev/urandom on Linux/macOS and CryptGenRandom on Windows.

In application code:

• Python: secrets module (use this, not random, for passwords and tokens)
• JavaScript (Node.js): crypto.randomBytes() and crypto.randomUUID()
• Browser: window.crypto.getRandomValues()
• Java: java.security.SecureRandom

Always use the cryptographic random API for security-sensitive operations: generating passwords, tokens, session IDs, API keys, cryptographic keys, and nonces.

True Random Number Generators (TRNGs)

TRNGs derive randomness from physical processes that are genuinely unpredictable: thermal noise in electronic components, radioactive decay, atmospheric noise, or photon arrival times. Hardware security modules (HSMs) used in banking and certificate authorities include TRNGs. Services like random.org generate random numbers from atmospheric noise and are often used as verifiably fair random sources for lotteries and contests.

Operating system CSPRNGs typically seed themselves from hardware entropy sources (keyboard timings, disk I/O, hardware RNG chips like Intel's RDRAND) and then use a CSPRNG algorithm to expand that entropy into a stream. This hybrid approach gives the unpredictability of hardware entropy with the speed of software generation.

Practical Use Cases by Type

• Game development, simulations, procedural generation — PRNG is ideal. Reproducibility (via fixed seeds) is often a feature, not a bug — it lets developers replay and debug specific scenarios.
• Statistical sampling and Monte Carlo methods — PRNG with a well-tested algorithm. The Mersenne Twister is standard.
• Passwords, tokens, cryptographic keys, UUIDs — CSPRNG only. Never use Math.random() or equivalent for these.
• Gambling, lotteries, provably fair systems — TRNG or CSPRNG, with transparency about the source.
• A/B testing and randomized experiments — PRNG seeded per-user ID for reproducibility; CSPRNG for the seed itself if gaming is a concern.

Seeding and Reproducibility

When reproducibility matters — recreating a specific test scenario, sharing a generated result, debugging a simulation — you can seed a PRNG with a fixed value and always get the same output. Many games use a seed for world generation, allowing players to share seeds for interesting maps. Machine learning researchers often seed random libraries at the start of an experiment to ensure reproducible results across runs.

The quality of your seed also matters. A PRNG seeded with the current timestamp in milliseconds is predictable if an attacker knows approximately when your application started. For non-security purposes, a timestamp seed is usually fine; for anything where the output must be unguessable, use a CSPRNG to generate the seed.

Generate Random Numbers Online

Open the free random number generator — generate single or multiple random numbers within any range, with or without repetition. Runs in your browser.