A deterministic machine cannot produce true randomness. A computer follows instructions — same inputs, same outputs. So all computer "random" numbers are actually pseudo-random.
PRNG vs CSPRNG
PRNG (e.g., Math.random()): Uses a seed + algorithm. Fast, but fully deterministic — if you know the seed, you can predict every output.
CSPRNG (e.g., crypto.getRandomValues()): Uses hardware entropy sources — electrical noise, timing jitter. Even knowing the algorithm, predicting output requires knowing the hardware state at seed time — practically impossible.
Why This Matters for Passwords
If a password manager used Math.random() and an attacker identified the seed pattern (possible via timing attacks), they could enumerate all possible "random" passwords. A seemingly 16-character password might have only thousands of actual possibilities.
With crypto.getRandomValues(), a 16-char password from 95 chars has 4.4 × 10³¹ possible values — no shortcut exists.
When to Use Each
| Application | Type needed |
|---|---|
| Password generation | CSPRNG (security-critical) |
| Game dice rolls | PRNG (fine) |
| Statistical simulation | PRNG (speed matters) |
| Lottery systems | True hardware random |
Our Password Generator and Random Number Generator both use crypto.getRandomValues() exclusively.