Random number generation in JavaScript

tomo — Fri, 04 Mar 2016 16:35:00 +0000

March 4, 2016

Generating a random number in JavaScript is simple if you don't care about quality, more complicated if you do. When I say "in JavaScript" I mean both of the JavaScript runtimes - the browsers with their DOM/window, and Node.js without those things - and without all the modern browser APIs.

The default, old-fashioned way to get a random number in JavaScript is by using Math.random(). However, the numbers produced from Math.random() are not secure for crypto applications as they are known to contain predictable patterns. The reason for this non-randomness isn't simply

What is a pseudo-random number generator (PRNG) and why do they matter?

tomo — Mon, 11 Jan 2016 07:50:27 +0000

January 11, 2016

crypto random prng security

Recently, a problem was discovered in the pseudo-random number generator which Google Chrome and Node.js's V8 JavaScript engine uses and depends on. The problem was that a pattern was discovered in the series of numbers which the RNG algorithm produced, meaning you could guess the "random" outcome at a probability higher than chance, giving you an advantage - whether the application is breaking encryption or passwords or beating games of chance.

Edward Snowden, who had worked for the CIA, warned of problems or backdoors in hardware random number generators which many computers...